Industry Committee on Feb. 5th, 2015

Thank you very much, Mr. Chairman, and I appreciate the opportunity to come back, as you said, with my officials to talk about Bill S-4, the digital privacy act, which for me is a very important piece of legislation for a number of reasons: the context of the legislation in terms of Canada's digital policy moving forward but also our responsibility as a government, as a Parliament, to update our privacy legislation to protect Canadians.

But before I do that, I gather there were some changes in the committee membership, so I want to congratulate those of you who have been tasked to come onto this committee. As you know, the Department of Industry...and therefore your oversight of our activities, your advice, and constructive criticism, are of course an important part of our parliamentary function. To those of you who are on the committee, I look forward to working with you over the coming months as we move forward on pieces of legislation like this one here.

Thank you, Mr. Chair, for inviting me to appear before the committee today to discuss an important bill, the Digital Privacy Act, which is intended to better protect Canadians' personal information online.

You know, our government is focused on the mandate that we were given by Canadians back in 2011, to create jobs, focus on a growing Canadian economy and, as Minister of Industry, to move forward with an effective digital policy for Canada.

Also, we know that any government's plan that is centrally focused on the economy must of course have a robust engagement to strengthen Canada's digital economy. That's why last year I unveiled Digital Canada 150, our government's plan that sets clear goals for a connected and competitive Canada. It will help Canadians participate and succeed in our digital economy. One of the key pillars under Digital Canada 150 is the need to protect privacy.

The digital privacy act is an essential part of that goal. Our government understands that a strong digital economy requires strong protections for Canadians when they surf the web and when they shop online. The digital privacy act will modernize Canada's private sector privacy law by introducing important new protections for Canadians online. It sets clear rules for how personal information can be collected, used, and disclosed. It requires organizations to tell Canadians if their personal information has been lost or stolen and imposes heavy fines on companies that deliberately break the rules. It gives the Privacy Commissioner of Canada more power to enforce the law and to hold offenders to account. The bottom line is that it delivers a balanced approach to protect the personal information of Canadians, while still allowing information sharing to stop illegal activity when it occurs.

These are much-needed changes to Canada's private sector privacy law, the Personal Information Protection and Electronic Documents Act, or more commonly known as PIPEDA. PIPEDA “sets out the ground rules for how private sector organizations...collect, use or disclose information in the course of commercial activities” across Canada. This should not be confused with the Privacy Act, which deals with how the Government of Canada handles the personal information of Canadians.

Let me share with the committee four areas where the digital privacy act will significantly improve PIPEDA.

First...data breaches. Unfortunately, this is an all-too-familiar topic for Canadians in our digital age.

It may surprise the committee members to learn that, under the current legislation, businesses are not obligated to notify Canadians of security breaches involving data under their control.

In other words, if a company's data is compromised and a hacker gets a hold of your credit card number, the company is not under any obligation to notify you. That's a serious problem.

Last December, for example, Target revealed that a data breach had compromised millions of its customers' credit and debit card information. In September, Home Depot announced that a data breach perpetrated by unknown hackers left as many as 56 million debit and credit card customers across North America vulnerable to fraud. On October 10, Kmart disclosed, in the United States, that almost all of its 1,200 stores throughout the States had been attacked by hackers, putting credit card and debit card details of customers potentially in jeopardy. Later in October, Staples announced a suspected breach of its customers' credit card and debit card information as well.

Canadian online consumers need stronger laws to protect them from similar fraud here. The digital privacy act will make it mandatory for an organization to tell individuals if their personal information has been lost or stolen and whether or not it puts them at any risk.

Under the Digital Privacy Act, organizations will be required to notify individuals whose personal information has been lost or stolen and let them know whether they are at risk of harm as a result.

Companies will have to inform Canadians of the steps they must take in order to protect themselves, such as changing their credit card PIN or email password. These are crucial safeguards to protect Canadians, and yet they are not currently in place.

The digital privacy act has been praised by consumer rights groups and those in the retail industry for its balance. The Marketing Research and Intelligence Association has said that they support the mandatory breach notification requirements that are in the bill. The Canadian Marketing Association has said that they support the changes to breach provisions.

The digital privacy act will make it mandatory that organizations also report these potentially harmful breaches to the Privacy Commissioner. When there's a privacy breach, not only is the individual informed by law; the Privacy Commissioner is also informed by law. In fact it will be mandatory for all organizations to keep records of all data breaches as well. If the Privacy Commissioner makes a request for these records, they must be handed over. Once law, organizations that deliberately cover up privacy breaches and destroy records will face fines of up to $100,000 for every person or client that they intentionally fail to notify.

The Office of the Privacy Commissioner of Canada is on the record as supporting these amendments as being in the best interest of Canadians. In addition, in my home province, the B.C. privacy commissioner has also recommended to their provincial government that they adopt the same approach that we have taken in Bill S-4.

Second, our digital privacy act clarifies the rules around obtaining consent to protect vulnerable Canadians online, particularly children and seniors, when companies ask to collect and use their personal information. For example, when the owner of a website for children wants to gather information about visitors to the site, the owner will need to use language that a child could reasonably be expected to understand. If the child can't be expected to understand how the information will be used, the child's consent would not be deemed valid. The owner would need to get consent from a child's parent.

This amendment makes it clear for companies how consent works under the act. This is something about which there has been confusion. This legislation does make it clear so that they can adopt best practices.

If an organization is targeting a product or service at a particular segment of the population, such as children, then any attempt to obtain consent must be adjusted accordingly.

Again, Mr. Chair, the Marketing Research and Intelligence Association agrees with these changes, saying that it “fully supports the provisions in Bill S-4 which provide added clarity for organizations when they seek the valid consent of an individual”. Given the increased use of smartphones and tablets among young people, the stronger rules included in this bill will make sure that individual Canadians, especially children and adolescents, can fully understand the potential consequences of sharing their personal information.

The Digital Privacy Act further protects Canadians by setting out certain exceptions in which personal information can be shared when it is necessary to protect an individual from harm.

In certain situations, it is in the public interest to share an individual's personal information without their consent. For instance, the information could be shared for the purpose of reuniting parents with a sick or injured family member when they are otherwise unable to contact that family member.

Another example would be by allowing banks and financial institutions to share personal information with law enforcement or family members when they suspect cases of financial abuse, especially to protect against elder financial abuse. The Canadian Bankers Association has applauded the amendments contained in this bill that would allow banks and financial institutions to advise public guardians, law enforcement, or family members when they have evidence of financial abuse, particularly of elders.

Mr. Chair, I want to pause here to address one issue that was raised in question period when this bill was debated in Parliament before being referred to this committee. That's with respect to the Supreme Court of Canada's decision in the Spencer case. Some have suggested that PIPEDA, and the digital privacy act by extension, in some way may violate the Charter of Rights of Canadians and need to be changed.

This is patently false. PIPEDA does not create any search or seizure powers for law enforcement. It does not require companies to hand over information to law enforcement. It only allows private sector organizations to voluntarily provide information to law enforcement and government agencies when they have the legal authority to obtain it. This decision does not mean that PIPEDA or Bill S-4 is unconstitutional, and no changes to Bill S-4 are required in that regard.

Some privacy advocates, including the Privacy Commissioner, have called for greater transparency on the part of businesses with respect to how often and under what circumstances they provide information about their customers to police.

Openness, of course, is one of the key principles underscoring PIPEDA, and nothing in PIPEDA prevents Internet service providers or other companies from publishing such transparency reports. I'm pleased to see that over the past year a number of Canadian companies have done just that.

Lastly, under the Digital Privacy Act, the Privacy Commissioner will have new powers and tools to enforce the act.

The former interim Privacy Commissioner supported this legislation when she said that the digital privacy act “will strengthen the privacy rights of Canadians. We welcome proposals to introduce a mandatory breach notification regime and the compliance agreement provisions that will make it easier for our office to ensure that companies meet the commitments that they have made. We strongly support these provisions.”

I would point out as well that before we drafted this legislation and before it was presented to the Parliament of Canada, we consulted with the Privacy Commissioner's office to ensure that this legislation satisfied their concerns with regard to privacy and that we were taking all reasonable steps to ensure that concerns that had been raised in the past about this type of reform were recognized and considered in the drafting of this legislation. That's why I'm grateful for the Privacy Commissioner's support of this legislation.

Under the digital privacy act, the commissioner will now be able to negotiate voluntary compliance agreements with organizations to hold them accountable for their commitments to correct privacy problems. In addition, the Privacy Commissioner will now have one year instead of 45 days to potentially take organizations to court if they don't play by the rules. The digital privacy act will also give the commissioner more power to name and shame, or to make information public where organizations do not play by the rules. This change will make sure that Canadians are informed and aware of issues that affect their privacy. Organizations either comply with the law or they will face public scrutiny.

Our government is balancing the privacy needs of Canadians and the ability of businesses to legitimately access and use personal information in their day-to-day operations. The Canadian Marketing Association has expressed their support overall for this legislation when they said that it “supports the government's effort and this bill to update Canada's private-sector privacy law”.

The Canadian Bar Association said, “We express our support for the digital privacy act”.

As we move forward with the implementation of the act, I look forward to working with the Privacy Commissioner to provide all the necessary clear and practical guidance to help with full compliance. The digital privacy act, as I said, is a much needed update to Canada's private sector privacy law, particularly in our modern digital economy.

The bill gives Canadians the assurance that their information will be equally protected, no matter who they chose to do business with in Canada.

Thank you. I would be happy to answer any questions the committee members have.

I would certainly like to again thank committee members for their consideration of this legislation. As you know, it's Bill S-4, not C-4, and this legislation has already been adopted by the Senate. It received quite deep and thorough study on the Senate side. This was treated, I think, with a great deal of respect and the necessary intensity, and I was pleased that it was adopted by the Senate. I look forward to this committee giving it the scrutiny that it deserves.

Thank you.

Thank you very much, Mr. Minister.

We'll go into our rounds of questions now. Colleagues, a couple of things. We have enough time for five minutes for each member and that's really it. So please don't take it personally if I have to interrupt you. I'll do it with as much dignity as I can. Also, at the end of the second hour, we will take a couple of minutes for a small piece of business. We'll go in camera for that.

So now we'll begin with Mr. Lake for five minutes.

Sure. I don't know if “balance” is maybe necessarily the right word, but the digital economy to thrive. I suppose the balance is found in not putting forward legislation that would have a chill in terms of firms aspiring to fully engage the digital economy and thinking that the Government of Canada was being too onerous in our expectations of what firms have to engage in in terms of responsible behaviour and protecting the privacy of Canadians. We want to have a balance. We don't want to be a barrier. We want to spur on greater adaptation of digital technologies and the digital environment, while at the same time recognizing that Canadian consumers deserve to be protected, not just at the same level as other countries around the world. We want to actually exceed other countries' approaches to these things and to give Canadians the best possible regime in the world, which is why there has been a great deal of consultation.

If I may say, if there's a criticism to be levied, it's that this legislation has taken too long to come forward, but we are here now and this legislation will be meaningful in striking the appropriate policy framework that will benefit Canadians.

You spoke earlier in your remarks about the Digital Canada 150 strategy and the importance of that strategy moving forward. I think everybody at this committee recognizes the importance of that.

How important is getting the privacy piece right in this piece of legislation to advancing the Digital Canada 150 strategy?

Digital Canada 150 has five pillars to it, 39 specific action items, and one national policy for all of Canada.

The first of the five pillars is connecting Canadians. It's making sure that we're all bound together and fully participating, as the second largest country in the world in size but 37th largest in terms of population. In a wireless sphere, with our connecting Canadians program and our investment on a P3 basis in infrastructure all across the country, it's that all Canadians are connected going forward. As well, of course, with our wireless policies, it's that we have world-class connectivity and competitive pricing with adequate competition, which is why we've taken the approaches we have on spectrum auction and spectrum transfer policy.

The second pillar is the digital economy. You'll remember when we first did our digital policy efforts in our first term in government, we talked about a digital economy strategy. Well, at the time, it was around the margins of the worst recession since the Second World War, and, of course, everything had the language of an economic policy and economics. But the truth is that a digital economy strategy, in my view, is a bit too narrow of a lens to put on a broad digital policy for a country. That said, there are specific measures that a government can take in order to ensure that the digital economy is moving forward. This speaks to it a little bit, but there are other measures as well.

One pillar is connecting us. The second pillar is the digital economy and the opportunities that exist within it. A third pillar is making the government more digital than ever before: the Open Data Institute that we have, the OpenScience initiative, making sure that government information is more accessible online than ever before, and taking those initiatives that Tony Clement, as President of the Treasury Board, has tackled.

The fourth pillar is protecting Canadians online, so: connecting Canadians; digital economic strategy; more digital government than ever before; and protecting Canadians online, which this legislation is central to.

The fifth and the final pillar is the one that I find most fun and interesting. Once you connect everybody, once you've made it more secure, you're taking full advantage of the digital economic opportunities, and the government is walking its talk and hopefully adopting the more digital approach to the way it does everything, then you breathe life into all of this with digital Canadian content. A central point to all of this is pushing our museums to be more digital, ensuring that the public broadcaster, the Canada Council for the Arts, and everybody who is engaged in telling Canadian stories to Canadians about Canada, our history and aspirations and all of these things. This country only survives if we have better understanding of our history, better opportunities to talk about our aspirations for the future. Breathing life into the content side is the fifth and final pillar.

None of these pillars stand on their own. If any one of these pillars was the entirety of the digital policy, it would lack comprehension. This is essential for us to move forward.

Thank you, Minister.

That's all the time we have.

Madam Borg.

Thank you.

Minister, you said that Bill S-4 did not violate the Constitution and that the Supreme Court's decision in the Spencer case did not apply to the provisions in the bill.

Did I understand you correctly?

Was any research done in that regard, further to the Spencer decision?

Yes, my department made certain that the bill respected the decisions of the Supreme Court of Canada, as well as the government's other obligations, including the obligation to bring forward legislation that respects the Constitution and legislation already in place.

Chris may want to provide a bit more detail on the Spencer decision and the implications for the bill.

You would agree, though, that the Spencer decision makes clear that Internet users have a reasonable expectation of privacy when online, would you not?

You say that the Spencer decision did create a certain clarity or ambiguity in respect to how you would interpret it around what is a lawful authority. In PIPEDA, we do allow for government institutions to make requests to Internet service providers. Are you suggesting that it is the opinion of the industry that a lawful authority would include a government institution?

Again, only with the consent of courts. The government cannot do it without consent. The legal framework still exists.

Okay, thank you.

I'm going to move on to another aspect of the bill.

As you said in your opening remarks, the purpose of the bill is to better protect Canadians' personal information, and that's an important step. With the bill having the title it does, one would think that the purpose was really to protect Canadians' personal information. Clauses 6 and 7, however, create new exceptions, under which organizations can share an individual's personal information without obtaining their consent or notifying them.

Do you think that is a good way to better protect Canadians' privacy?

No. I think that overstates it. I think the legislation is quite clear. We put forward this legislation after consulting with the Privacy Commissioner, as you know. The mandate of the Privacy Commissioner is certainly to err on the side of caution, not only in terms of the mandate of the Privacy Commissioner but in the approach that he or she has over time—

I would just like to point out that the Privacy Commissioner said he did not support that provision.

Just briefly, Minister, please.

As I said in my remarks, I think this strikes the right balance. I don't think Ms. Borg has the correct interpretation of either the Spencer decision or the legislation.

Thank you.

Mr. Carmichael now. Five minutes only, please.

Thank you, Chair. Welcome to the minister and his officials.

Minister, I agree with you with regard to PIPEDA and this legislation being long overdue. Clearly, technology has advanced at such a pace that legislation must catch up with so much of what can occur within the technology and the world around us today.

An area of concern to me as a grandparent is with my young grandchildren who, when I watch them on technology today, function much faster and ably as they work their way through their iPads or whatever it might be. One of the concerns I have is how this bill will protect my grandchildren and those of all Canadians. Can you expand a little bit on your opening comments in that regard and what penalties exist for those who break that trust?

Your caution is right. I know you just became a grandfather, I think again, very recently. Congratulations on that.

This is obviously an important part of the government's obligation as everything shifts to digital, and everybody is doing everything with tablets and smartphones at their convenience.

The approach to the legislation is about the consent that's offered. As you know, in the world of big data and in the world of collecting that data, we need to make sure children understand the risks that are online. Not all of this, of course, can be done or frankly should be done as a quasi-parenting function of the government. We all have an obligation to protect ourselves, those we care about, and the broader society.

But we also have institutions and bodies, such as the Privacy Commissioner, the Government of Canada, through legislation like PIPEDA, or through privacy legislation that we have as the Government of Canada more broadly when we're dealing with citizens' interaction with the government to ensure we are protected. This legislation takes steps to ensure, when a child is online and giving consent or sharing information, that the language used is, frankly, plain-spoken and can reasonably be expected to be understood by a child. I know that's a very subjective way of saying it.

Let's say, for example, that a child goes onto a website of a cartoon figure and provides his personal email address, home address, or phone number. That information was drawn out of the child. He's using the website in a way that was duplicitous or not clear, or the child might have given that information in a way...that was duplicitous, and a parent later finds out about it. That is reported to the Privacy Commissioner. The Privacy Commissioner can then take action. The entity putting up that website is forced to immediately take down the website and re-offer that information in a more responsible way.

Yes, there is some subjectivity in all of this, but the approach we've taken is to entrust the Privacy Commissioner with this approach, based on experiences in other jurisdictions around the world, in the trial and error they've had in trying to put in place this kind of public policy. Those firms that don't comply with this certainly can face penalties from the government, or by extension the Privacy Commissioner, and certainly some name-and-shame capacities. You would think that some of these firms, if they're engaged in this kind of behaviour.... If the Privacy Commissioner were to issue a report saying they were engaged in an approach of data collection about our kids that is unsafe and that violates the privacy of our kids, I think that would be a death sentence to that firm.

The powers that are in here are incredibly powerful in the free market for firms that are engaged in this kind of a process. The fine, as my deputy has just signalled to me, is $10,000 up to $100,000 either per data breach or per abuse of the privacy of individuals, including kids.

Good. Thank you.

Maybe we will just move to the other end of the spectrum and talk about seniors. I've run many seminars and round tables relevant to financial abuse, senior abuse, elder fraud, etc. I wonder if you could quickly talk to some of these issues as well, and how this bill will protect our seniors.

Yes. It's a difficult part of the legislation. I would suggest—far be it from me, committees are masters of their own agendas in how they move forward—that this is one piece of the legislation where there is, I think, a reasonable debate on the best way to move forward. The way we've put it forward in the legislation is obviously the way we've arrived at what we think is the best balance.

My own family experienced in years past the financial abuse of my grandmother by a caregiver. This is not an uncommon problem.

In the legislation under the current law, for example, if banks or financial advisers suspect that their client, a senior, is a victim of financial abuse, they are currently prevented from notifying proper authorities, in part because of the privacy protections. This legislation clarifies that.

The grey area is that very often the financial abuse is happening within the family. This is where it might be useful for this committee to draw in some witnesses to give the actual point-counterpoint, because it's a legitimate debate. When, for example, financial institutions, banks, clearly see or they're quite suspicious that there's financial abuse happening to a senior, if their only course of action is to inform the family, and they can't inform the authorities because of our current privacy law, that will not actually protect the senior, because it's often a family member doing the abuse.

I know that some have said that this is a hole in the legislation because it provides a financial institution the ability to inform authorities about suspected abuse of the elderly. It's true that we do create that provision, but it's because very often—I don't know what the proportion is—the financial abuse is happening within families. To inform the family would allow them to probably cover their tracks and get away with the abuse of a senior, and that's something we want to stop.