Evidence of meeting #34 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was organizations.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Patricia Kosseim  Senior General Counsel and Director General, Legal Services, Policy and Research, Office of the Privacy Commissioner of Canada
Scott Smith  Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
David Elder  Special Digital Privacy Counsel, Canadian Marketing Association
Wally Hill  Senior Vice President, Government and Consumer Affairs, Canadian Marketing Association

11:35 a.m.

NDP

Annick Papillon NDP Québec, QC

Thank you, Mr. Chair.

When Minister Moore appeared before this committee a few days ago, I asked him whether the office would have sufficient resources and funds to accept the new and major responsibility that will follow once Bill S-4 is passed. He said that you had the resources you need for that.

Is that really the case?

11:35 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Clearly, we will do the work that we are required to do with the resources available. I said that this new obligation would lead to a major increase in our workload. In Alberta, the workload basically doubled when a similar mandatory notification system was adopted. The workload then levelled off in subsequent years, once the mandatory notification mechanism was adopted.

It would be premature to speculate on that, but we are pretty sure that the workload related to these notifications will increase significantly. In terms of the scope of the increase, we don't know.

I would suggest that we work with the resources we have, that we see how people respond and how many notifications we receive. After one or two years, we could see whether we need to allocate resources to that task.

11:35 a.m.

NDP

Annick Papillon NDP Québec, QC

When Ms. Kosseim appeared before the Senate committee, she also said that the issue of resources should be considered to its fullest extent because this new obligation will have an impact on resources.

Ms. Kosseim, do you have anything to add to that? The Senate committee does not always share what happens with this parliamentary committee.

11:35 a.m.

Senior General Counsel and Director General, Legal Services, Policy and Research, Office of the Privacy Commissioner of Canada

Patricia Kosseim

In the commissioner's words, we will have to take a close look at this issue based on the experience we will have with the new system.

11:35 a.m.

NDP

Annick Papillon NDP Québec, QC

Very well.

Bill S-4 could force private sector organizations to report any losses or breaches of personal information. However, unlike what is set out in Bill C-12, the test proposed for this mandatory reporting is subjective since it enables the organizations themselves to determine, and I quote:

if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

In your view, is that test reasonable?

11:40 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

As I said earlier, we can think of various ways of sending these mandatory notifications. The important thing is to have a system. At the end of the day, this seems to be a reasonable system.

Alberta's experience shows that companies and organizations provide notifications in many situations. In roughly half of Alberta's cases, the provincial commissioner notifies individuals of breaches that are reported by organizations, which seems to show that the organizations report to the provincial commissioner in borderline cases, when the scope of the harm done to an individual is not as clear.

Yes, there is a threshold after which the notification must be given. However, I think Alberta's experience shows that this is an appropriate way of doing things.

11:40 a.m.

Conservative

The Chair Conservative David Sweet

Thank you very much.

Mr. Warawa, for five minutes.

11:40 a.m.

Conservative

Mark Warawa Conservative Langley, BC

Thank you, Commissioner, and witnesses here.

You said that requiring organizations to keep a record of breaches and provide a copy to your office upon request will give your office an important oversight function with respect to how organizations are complying with the requirement to notify. We also heard of the 45 days. If you are dealing with a complaint, or dealing with an organization where there's a privacy complaint, presently you have 45 days to take action in your enforcement. If you feel that you need to take action, the action would be going to the Federal Court. Is that correct?

11:40 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes. If we fear that certain conditions that we feel are necessary for compliance will not be respected by an organization, we have 45 days to seek redress in the Federal Court.

11:40 a.m.

Conservative

Mark Warawa Conservative Langley, BC

Right. That's your enforcement tool; you have 45 days to take action. You're working with the organization if there's a privacy concern, maybe a change of the privacy policies within that organization, but you have 45 days to take action. I think you shared that 45 days is not adequate time and in many cases you're looking at a longer time. You may give that organization six months to make changes, and if after six months they haven't made those changes—they said they would, in a hypothetical situation—45 days is past, and you have no more tools to take action against that organization, then extending the 45 days to one year would give you an enforcement tool that's very necessary.

Would you agree with that?

11:40 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes, it gives us flexibility to come to an agreement that makes sense with organizations on how to comply with the act.

February 17th, 2015 / 11:40 a.m.

Conservative

Mark Warawa Conservative Langley, BC

Thank you.

The question came up in previous comments about consent. I'm thinking of changing technologies and data breaches. The world is changing as technology changes. We've heard recently about smart TVs that have voice recognition and people can make voice commands to a TV. If that function is on, do people really understand the consent that they've given to permit that, and what happens with that information? Is that information, the voices in the room, is that being put in text by a third party? What happens to that information? How important is it when people have given consent that they realize they've given consent?

Another part of the question of consent concerns children. Young children play games on tablets. Does a six-year-old or an eight-year-old understand the consequences of giving consent and providing their name, age, the town they live in, and their gender? What happens with that information? How important is it that there is understood consent that's given?

11:45 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We could spend a whole day on this issue of consent. Obviously, whether people provide consent with all knowledge of the consequences of their giving consent is a huge issue, and in many, many cases consumers, individuals, do not realize what they are consenting to. There's no question about that.

How does one ameliorate the situation? We think education is a big part of it. Guidance from the office is a big part of it for organizations and individuals. Is it possible to legislate this? The proposed definition of consent in Bill S-4 I think is a useful addition, but obviously you cannot prescribe all the potential situations where consent will be sought in the marketplace, so legislation has its limits. I think with the clarification that Bill S-4 provides, it is a useful clarification of what consent is, and it has the potential of improving the situation for the issue of consent sought from children, because the definition in Bill S-4 requires organizations to put themselves in the shoes of the individual whose consent is being sought: what does the individual understand? So, when the individual is a child, if your product is addressed to children, you should think about what is reasonable to expect of a child in understanding the consent being sought. Overall, I think, again, the definition of consent in Bill S-4 will assist generally and will assist particularly groups that are more vulnerable, like children.

11:45 a.m.

Conservative

The Chair Conservative David Sweet

Thank you, Commissioner.

Ms. Nash now for five minutes.

11:45 a.m.

NDP

Peggy Nash NDP Parkdale—High Park, ON

I'd like to pursue the questions of Mr. Warawa around consent, because it is a topic that is certainly addressed in Bill S-4, and it's a very important topic that most people truly don't understand in an era of rapidly changing technology.

I discovered to my surprise that I ended up owning one of these TVs. It's a good thing I never get to watch it, but it apparently has the potential to be allowing someone to listen in. It would be pretty boring, but....

I wanted to ask you specifically about children. You did mention the consent of children. We're going to be hearing from the Chamber of Commerce, and they have said in their submission that your office has not been hampered in its efforts to protect children through ensuring valid consent; therefore, a specific valid consent amendment is not needed. What's your view on that? We'll ask this question also to the chamber, but do you believe that a specific valid consent amendment for children is needed?

11:45 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I would say that we have worked on complaints involving children, and we have been able to set certain parameters for how to obtain consent when the services provided by the organization are of interest to children, so it's not that we are currently without any tools to ensure the ability of consent generally and for children specifically.

That being said, I think it is useful to provide, to have the clarification that Bill S-4 proposes to have so that organizations see clearly from the definition of consent in what would be the new provision of PIPEDA, that they have to think about the clientele to which they're offering products and services. This probably is happening to some extent. Certainly it's happening to some extent for organizations, but it may not be happening for all organizations, and to have this clearly in legislation, that you must think about your clientele, I think would be useful.

Is it that are we without tools currently? No, but it would be useful to have this addition.

11:50 a.m.

NDP

Peggy Nash NDP Parkdale—High Park, ON

Thank you.

I have one last brief question. I think we've all been in a situation where we've gone to take an action online, and you are asked to read the terms and conditions. You click on it, and there are five pages of dense legal type. Those of us who are not lawyers, our eyes glaze over and so we are left with the question of what exactly we are consenting to. But if you want to conclude whatever transaction it is you're engaged in, you do consent even though you may not be fully aware of all of the implications.

Has the Privacy Commissioner and the commission explored the notion of plain language summaries or plain language translation of some of these legal documents, bearing in mind obviously that the legal contract is the binding one, but to get to the bottom line so that people fully understand what it is they're complying with?

11:50 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We have done that in the form of guidance to organizations, asking organizations to use plainer language when they seek consent. That's obviously only an incomplete answer, but at the end of the day, it is organizations that know the service they are providing and know what kind of information they need, so they're in the best place to inform consumers and individuals. We're urging them to use as plain language as possible.

That being said, consent is a huge concern. We think that Bill S-4 is a step in the right direction with the clarification to the definition found in it. But as I indicated before, we're consulting stakeholders on what our priorities should be for the next several years on how best to improve the situation for individuals. The consent that they provide will almost certainly be among our priorities.

11:50 a.m.

Conservative

The Chair Conservative David Sweet

Thank you very much, Mr. Commissioner.

Thank you, Ms. Nash.

Now our last questioner, Mr. Lake.

11:50 a.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

Thank you, Mr. Chair.

Monsieur Therrien, there are three provinces with legislation dealing in the same area. Is that accurate? They are Alberta, B.C., and Quebec.

11:50 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

11:50 a.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

Right. When you're dealing with your concerns, your reservations that you express on paragraphs 7(3)(d.1) and (d.2), my understanding, and you can correct me if I'm wrong, is that the new proposed legislation brings us far more in line with what's happening in Alberta and B.C. with what their legislation does.

11:50 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

That's correct.

11:50 a.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

That's correct, and that legislation has been place for how long?

11:50 a.m.

Senior General Counsel and Director General, Legal Services, Policy and Research, Office of the Privacy Commissioner of Canada

Patricia Kosseim

I believe 2004 was when they were adopted, in that timeframe. For those specific provisions, I don't know offhand.