Evidence of meeting #34 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was organizations.
A recording is available from Parliament.
12:20 p.m.
Special Digital Privacy Counsel, Canadian Marketing Association
—adults who you have no reason to think are any different but have different characteristics, they are a different target market, how far do you have to go? I think that has been the concern.
12:20 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
How far do you have to go? You have to go to the point where the person would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information. That seems pretty clear.
12:20 p.m.
Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
I think the second part of that question is, what constitutes vulnerable? It's not defined in the act.
12:20 p.m.
Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
Okay.
Well, the other side of it is the number of instances where you have that also for companies that target broadly. For instance your social networking sites that would target everybody need different policies to be able to appeal to different people.
12:20 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
They're gathering information; one would hope they know who they're targeting
12:20 p.m.
Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
But they're targeting everybody.
12:20 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
Well, then, you know what? Everybody includes kids, and if they're not going to differentiate, I guess they have to make everything easy enough for an eight-year-old to understand.
12:20 p.m.
Conservative
12:20 p.m.
NDP
Peggy Nash NDP Parkdale—High Park, ON
Thank you, Mr. Chair.
I'm just trying to get clear in my mind this discussion about consent.
We've heard from both of you that this presents a challenge. You've said that it's a hardship, and that it costs businesses to be compliant. You've also said that it's unnecessary because the Office of the Privacy Commissioner is currently able to ensure valid consent of minors, and that industry best practices are high enough to protect minors, as well as other groups.
If it is the case that the current provisions are adequate, and if you're convinced that this change, which the commissioner says is useful, is not going to change much, why is there any additional cost associated with it? How can it possibly be a hardship if you're saying it's not doing anything?
12:25 p.m.
Special Digital Privacy Counsel, Canadian Marketing Association
I guess the assumption is that it must do something, otherwise Parliament would not enact such a provision.
12:25 p.m.
NDP
Peggy Nash NDP Parkdale—High Park, ON
The commissioner believes it will do something. He believes it will go down the road another step—I think that was how he put it—to securing better knowledge of consent, and a more meaningful consent.
12:25 p.m.
Special Digital Privacy Counsel, Canadian Marketing Association
I'm not really seeing how that would work. Again, the wording currently says that you have to state purposes in such a manner that the individual can reasonably understand how the information will be used or disclosed. The wording now says similar things; it says, “would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information”.
12:25 p.m.
NDP
Peggy Nash NDP Parkdale—High Park, ON
My question for you is, if that's the case, where is the problem?
12:25 p.m.
Special Digital Privacy Counsel, Canadian Marketing Association
What I would say is, if this doesn't do anything, then there's no reason for it to be here.
12:25 p.m.
Special Digital Privacy Counsel, Canadian Marketing Association
If it is here, I'd like to better understand what it does that's different from what we already have, where we already have this requirement that the individual needs to understand the purposes, and where we already have guidance from the OPC about how to treat children, for example, and other disadvantaged groups.
12:25 p.m.
NDP
Peggy Nash NDP Parkdale—High Park, ON
Perhaps it just formalizes the guidelines you say industry is already following, and codifies them in law in a way that adds greater clarity. The commissioner believes that it adds greater protection. My question is whether it's either a burden and a hardship or whether it does nothing. I have trouble understanding that it's both a burden and a hardship to business, but that it doesn't do anything in this case. The commissioner says it is helpful; it is another step in providing meaningful consent. To me that's a worthy goal. I'm trying to understand what is the undue hardship to business that suddenly will transform the way business behaves.
12:25 p.m.
Special Digital Privacy Counsel, Canadian Marketing Association
Again, part of it is that we don't really know. If it is a clarification, it might be useful to have a revision that says “for greater certainty”, or something like that to indicate that we are just trying to clarify an existing obligation. Our concern is what this means additive to what's already here. If it doesn't do something additive to what's already here, there's no reason to enact it. That's how a court would interpret this.
12:25 p.m.
Conservative
The Chair Conservative David Sweet
Thank you very much, Mr. Elder.
Now Mr. Carmichael for four minutes.
February 17th, 2015 / 12:25 p.m.
Conservative
John Carmichael Conservative Don Valley West, ON
Thank you, Chair, and welcome to Mr. Hill as well. Your travels finally got you here.
I'd like to refer to the commissioner's comments earlier about the number of breaches that are becoming commonplace, and as he said, becoming a growing phenomenon. He's approximated at 60 a year the number of breaches that are being declared at this time. That's up or down a bit, but that's going to continue to grow with mandatory notification.
Mr. Smith, I would like to start with you directly, and then go to Mr. Elder. I wonder if you could give me some examples within your community, within the chamber, and within its membership, of what businesses are doing to take action today, to comply with this legislation that's coming forward.
In terms of protecting against such breaches, how are businesses getting ready for this type of phenomenon?
12:25 p.m.
Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
There are a couple of ways to answer your question.
The legislation has been in place for over a decade now and it's working well. As you heard, businesses are reporting.
There are incidents. These breaches are increasing. You hear about them in the media. Generally, those are not the fault of the businesses. They're being attacked in a number of different ways. If you're talking from a cybersecurity perspective, they have challenges in being able to protect themselves against that. That's not unique to business. That's happening to government. It's happening to everybody. You heard that even the U.S. government was attacked.
From a small business perspective, they look at PIPEDA and are doing what they can to comply. Most of the breaches that you don't hear about are being handled at the front lines and reported to individuals. It's not coming back to the Privacy Commissioner at all. Generally there's no need for it to come back because there is no risk of harm to that individual once the breach has been dealt with. Systemically, they're managing these internally.
Is business preparing for the changes to PIPEDA that are coming under Bill S-4? They're certainly aware of them. Will they make any changes? Not until the bill comes into place, I would suspect.
12:30 p.m.
Conservative