Industry Committee on Feb. 19th, 2015

Ideally, proposed paragraph 7(3)(c.1), which was at issue in Spencer, was one of the more controversial paragraphs that were dealt with in the consultation that led to this bill. Our position then, as it is now, is that it should be struck. We think that Spencer understates that.

Spencer closes the door to some sharing in specific contexts, but there are still ambiguities around what's going to happen in other contexts, and in the interim when that exception was introduced, literally millions of Canadians' private information was given to law enforcement under criteria we're not comfortable with. We would like to see it shut down, and have that provision repealed.

We'd also like to see the inclusion of an individual notice obligation whenever a private company voluntarily provides information to the state, unless it impacts on an investigation or something to that effect. We would like to see that.

Those are things we have, for a while, been calling for and that we would like to see in PIPEDA sooner rather than later.

From PIAC's point of view, the amendment to remove or change the information sharing between corporations needs to be looked at because, as Tamir mentioned, there is some risk of companies using that in contexts like copyright against consumers, where judicial process would give them more protection and is far more appropriate. I see no safeguards and I anticipate there would be some misuse of this section. For that reason we would recommend some amendment in that section.

Clearly, our position is different. We don't think amendments need to be proposed for PIPEDA or Bill S-4. The Supreme Court did its homework, which was to interpret one provision in an existing piece of legislation. We therefore don't think amendments need to be made.

The addition of compliance agreements is helpful, but it addresses a very specific scenario. What happens with a privacy complaint is that it goes to the commissioner, she does her report, and she issues a recommendation. It's a non-binding recommendation, so let's say the company agrees to comply. If it changes its mind a year later, you basically have to start from scratch and file another complaint. There is no mechanism to make that enforceable.

The compliance agreements help a lot in that context, but they don't help with one issue that we're concerned with, which is to put in place incentives for proactive compliance. For that to be in place, you need some type of potential damages to happen if you violate the principles of PIPEDA in a very clear and egregious way. We think that's needed for PIPEDA. Most other privacy and data protection commissioners around the world have those types of powers. We would like to see that in PIPEDA as well.

Thank you.

I generally agree with Mr. Israel. Compliance agreements are a kind of band-aid. What you're really looking for, I think, is order-making power on behalf of the commissioner. It will help with some situations. However, long negotiations with companies may or may not actually have the result that the Privacy Commissioner wants, even with compliance agreements.

No.

We are proposing today a hybrid model, one that looks a lot like what was in Bill C-12. In order for it to be two steps, you would have to have a reporting of material breaches of security safeguards, as it was worded in that bill, that affect personal information, as a first step, only to the Privacy Commissioner. Then, as in Alberta, it's better to leave the decision about whether to notify individuals with an impartial third party, the Privacy Commissioner, rather than again leaving it up to the company, which is what this bill.... It places a lot of responsibility on companies, actually. If they make a call badly, it's just preferable to leave it in the hands of an impartial third party.

That would be what we propose, that two-step approach.

That's our concern, that the assessment done by the company may not be taking factors into account that the Privacy Commissioner might think of. They have a limited view; the Privacy Commissioner will have seen lots more situations.

It's not malicious. It's just what will happen.

Yes.

I did hear the testimony earlier this week where that came up. Maybe I can give you a really quick example of it.

Take a call centre context, where someone calls in and says, “I received the bill of my neighbour at my home.” What would happen in that context is that the call centre representative would say, “Oh, that's horrible. We'll send you an envelope; can you please send the bill back to us?” Then the call centre representative would reach out to the other customer and say, “We're very sorry, but your neighbour received your bill. We apologize.” They would then make amends.

That situation is technically a breach of security safeguards, because the wrong bill went to the wrong customer. It's a one-off. It's not insignificant to those two customers, but it's insignificant in the grand scheme of when you think about breach notifications. The way Bill S-4 is worded today, it would require us—by “us” I mean any industry or organization subject to PIPEDA—to develop a system to log that somehow. It's taken care of. It's managed. It's handled. But it would have to be logged somehow, through a different system. Otherwise the organization is subject to new offence provisions, which are very serious. The breach notification offences are quite serious in the record-keeping—

Every organization has breaches of their security safeguards. That goes without saying. Some are more significant to Canadians, broadly speaking. Others are not. We should focus on those that are of the most concern to Canadians.