Industry Committee on March 10th, 2015

Yes, I can, thank you. Good morning.

Thank you, Mr. Chair.

Thank you, committee, for having us here.

You have our submission and there are a number of links in it to related documents. I won't take you through that. I'll just raise some of the points in there, and hopefully that will leave more time for questions on what is a very important piece of legislation.

I also want to say that we appreciate the fact that the committee is hearing from witnesses before second reading. We take this as a positive sign that the government is in favour of and open to amendments above and beyond its usual openness in the normal course of proceedings.

The first thing I'd like to talk about is the Spencer decision of the Supreme Court of Canada from last year. I'd like to concentrate on the B.C. aspect of it. As you know we have a special legislative committee that looked at our substantially similar legislation: the Personal Information Protection Act. The committee came out with recommendations for changes to our equivalent of section 7. You have the link to that report, I believe, through our submission.

The approach they suggested was a narrowing of the scope of the B.C. section.

The special legislative committee in B.C. also raised concerns—some of which we raised with them, as did the Information and Privacy Commissioner, Elizabeth Denham—about the question of substantial similarity between the provincial and federal acts, so there is some discussion in there.

In addition to the B.C. committee and the B.C. commissioner, the federal Privacy Commissioner, Mr. Therrien, has also indicated he has some concerns with section 7, and has suggested some changes.

The second point I'd like to make is something that we raised not before this committee, but before the access to information, privacy and ethics committee relating to political parties. Political parties are not covered at the federal level by privacy legislation. The large amounts of data collected by political parties are essentially unregulated. I don't think this is suitable. I don't think this is appropriate, and I think it diminishes the confidence that Canadians have both in the privacy law, because of this very large hole, but also in terms of what happens to their personal information.

I offer to you, by way of contrast, what we have in British Columbia where our provincial political parties are covered by the Personal Information Protection Act. Our commissioner has conducted investigations into complaints that were brought to her by individuals about the conduct of political parties. The commissioner investigated, reports were issued, and practices were changed, and yet the political system continues. There has not been a complete collapse of the political system or the political parties in British Columbia. I offer to you, as an example, what can be done and the kind of thing I think could be easily done by including the political parties under PIPEDA.

The final point—and I'll be quite brief because I believe that Ms. Lawson will be dealing with this as well—is a report we are currently working on for the federal Privacy Commissioner called “The Connected Car: Who is in the Driver's Seat?” The report will be released March 25 in Vancouver and we'll be happy to provide you with copies.

I'll leave Ms. Lawson to deal with some of the particulars. Of course we won't be revealing the report here today, but there are a number of issues related to privacy, of course, and consent and consumer choice. I think members of the committee will find that report very interesting, and we hope it will inform your work as well.

Thank you, Mr. Chair.

Good morning. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I've appeared before this committee on a number of occasions on digital policy issues, including privacy, and I appear today, as always, in a personal capacity representing only my own views.

Actually I previously appeared before the Senate committee that was studying Bill S-4 and my remarks then focused on three broad issues.

First, I offered my support for several important provisions in the bill, particularly the additional clarification on the standard of consent, the extension of the deadline to take cases to the Federal Court, and the expansion of the powers of the Privacy Commissioner to publicly disclose information related to findings or other matters. Second, I identified issues that I think need amendment or improvement: the security breach disclosure rules, particularly the abandonment of a two-step disclosure process that was found in some earlier bills; the compliance agreements provisions, which I think could be strengthened with penalties or order-making power; and the expansion of voluntary disclosure of personal information between private sector organizations. Third, I talked about some missing provisions, namely, what I think is the need for mandatory transparency reporting.

My time this morning is limited, so I'm going to delve deeper into just two issues, the voluntary disclosure provision and transparency reporting.

On voluntary disclosure, as you know, Bill S-4 expands the possibility of personal information disclosure without consent or court oversight to anyone, not just law enforcement. As you know, the bill features a provision granting organizations the right to voluntarily disclose personal information without the knowledge or consent of the affected individual and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation, or even the prospect of a future violation.

This broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval. I believe this runs counter to the court decisions that we've seen from the Federal Court, which have sought to establish clear limits and oversight over such disclosures as well as the spirit of the Supreme Court of Canada's Spencer decision, which ruled that Canadians have a reasonable expectation of privacy with such information. In fact, if we examine the leading cases involving disclosure of customer information in private litigation—not to law enforcement but in private litigation—such as in Warman v. Fournier, BMG v. Doe, Voltage v. Doe—virtually all emphasized the need for safeguards before customer information is disclosed, even as part of an investigation.

A House of Commons committee did recommend a similar reform in 2006, but that recommendation was rejected at the time, both by the Conservative government and the Privacy Commissioner of Canada.

I recognize that some have suggested that both Alberta and B.C. have similar provisions and that no harm has resulted from their approach. I'm not so sure. I don't think anyone can reasonably conclude that the provincial approach has not resulted in privacy risks or harms. It's important to bear in mind that the disclosure itself is not necessarily revealed to the affected individual. Indeed, the point is often to disclose without knowledge or consent, meaning the affected individual will not know that their personal information has been disclosed. Asking for evidence of harm when the harmful conduct is kept secret from those who are affected creates an impossible evidentiary burden. In fact, even if you believe that the disclosures might come to light through court processes should it reach that point, and we know that oftentimes the disclosures won't ever reach the point of a court case, provincial privacy law such as we find in Alberta and B.C. rarely involves having these kinds of cases come to light. It's no coincidence that the leading cases involving personal information involve PIPEDA, because those cases typically involved telecom companies, Internet service providers, websites, and banks, all largely governed through PIPEDA.

In other words, the existence of this kind of provision at the provincial level actually tells us very little about how it will be used under PIPEDA. The reform here, I think, is clear. There is no compelling need for a change. The current system has been in place for many years and there are dozens of organizations that are covered by the investigative bodies exception. It may have been a bit of a hassle 10 years ago, but now the reform makes little sense. Further, if there are specific industries that can point to concerns, I think those can be addressed through a narrow amendment, but the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed.

Second is the need for transparency reporting. The lack of transparency in reporting requirements associated with personal information disclosures, I think, is a glaring omission from the bill. The revelations last year of over a million requests and over 750,000 disclosures of personal information in a single year, the majority of which happened without court oversight or a warrant, point to, I think, an enormously troubling weakness in Canada's privacy laws.

More recently, the Privacy Commissioner of Canada tried to conduct an audit of RCMP requests for subscriber information and was largely forced to abandon the audit when the data there were found to be inaccurate and incomplete.

Now, there are some companies, such as Rodgers and Telus, that have begun to issue transparency reports, but there are others, most notably Bell, that have not. Most Canadians have simply no awareness that this is taking place. This deficiency can be addressed, I think, through two reforms.

First, the law should require organizations to publicly report on the number of disclosures they make without knowledge or consent and without judicial warrants. This information should be disclosed in aggregate on a quarterly basis—every 90 days. I'm not talking about disclosing it to each individual immediately; we're talking about its being on an aggregate basis and a quarterly basis.

Second, those organizations should be at some point in time required to notify affected individuals within a reasonable time. Leave aside the necessity to keep it secret, if necessary as part of an investigation; once it is concluded or a reasonable amount of time has passed, either get a court order to continue the secrecy or disclose the disclosure to the affected individual.

The adoption of those kinds of provisions—transparency reporting and that disclosure—would, I think, be an important step forward in providing Canadians with greater transparency about the use and disclosure of their personal information.

I welcome your questions.

Thank you very much.

Good morning, committee members. Thank you for the opportunity to address you on the matter of Bill S-4, which proposes amendments to PIPEDA.

My involvement with this legislation goes back to its genesis with the CSA model privacy code and the subsequent initiatives to legislate voluntary standards. As a lawyer with the Public Interest Advocacy Centre at the time, I was a public interest representative on the committee that drafted the code. I later advocated for legislation that eventually took the form of PIPEDA.

I have been closely involved with PIPEDA ever since, first in my role as a consumer advocate with PIAC and later as director of CIPPIC, both of whom I understand you have already heard from. In particular, I have conducted studies of private sector compliance with PIPEDA. I have lodged a number of PIPEDA complaints with the Privacy Commissioner. I have taken the Privacy Commissioner to court in order to establish that she had jurisdiction to enforce PIPEDA against foreign corporations acting in Canada. I published a study of security breach notification laws in 2007. I've been urging the government to adopt mandatory security breach notification laws since 2003.

Today I am speaking on my own behalf as a lawyer and privacy advocate. The last formal submissions I made on PIPEDA reform were in 2008 in my role as director of CIPPIC. Those submissions focused on three issues: security breach notification, protection of minors, and compliance and enforcement. The analysis and proposals made in those comments remain apt today, and I would be happy to provide copies of that submission to anyone who is interested.

I'm happy to see that the government has seen fit to address all three of these issues in Bill S-4, but I am disappointed that the measures in each case fall far short of what is needed. I will address each of these three topics briefly, but before doing so I would like to address an elephant in the room. That elephant is consent.

There is a pretense that companies are obtaining informed consent from customers to the collection, use, and sharing of their personal data. But anyone who takes the time to study what is actually going on will quickly see that this is, to a large extent, a fiction and that meaningful consent is rarely obtained from consumers.

Negative option consent is commonly used but rarely brought to the attention of customers. Consent is in fact often assumed simply by virtue of use of the service. Changes to privacy policies are simply posted on the company website and customers are expected to inform themselves. No one really expects individuals to read through lengthy, complex terms of service for every transaction. People simply don't have the time. If they do take the time to read the terms, they may find that they are notionally consenting to have their personal data used for purposes such as—and I'm quoting here from privacy policies that I've looked at—research, marketing, product development, and business purposes. In further violation of PIPEDA, many companies are refusing to deal with customers who won't agree to unnecessary uses of their personal data, such as marketing.

A reality check is needed on what is happening in the marketplace with so-called customer consent. In the meantime, proposed section 6.1 is a helpful qualification on what the law already requires. It may have some positive effect on what is, in my respectful submission, a widespread disgrace.

However, the current wording of proposed section 6.1 could actually have a perverse effect on the protection of children or seniors. If you read the clause, you will see that it fails to protect vulnerable populations to whom an organization's activities are not directed. All that a company needs to do to exploit children is to direct its activities to adults and then turn a blind eye to the fact that children are signing up. A simple fix is to revert to the earlier wording of this clause found in Bill C-12. However, if if the aim is to protect children, a much more effective approach is simply to prohibit certain uses of personal data about children.

I have a few words on breach notification. This is long overdue, and it will certainly be an improvement on the current situation. But are the proposed rules going to be effective? Breach notification is about more than notifying individuals. An equally important goal is to create incentives for organizations to put in place strong security safeguards.

In order to create such incentives, there needs to be a real risk of significant financial harm to a corporation from failing to put in place adequate security measures. This is the test you should be applying to your assessment of the proposed breach notification regime: is there a real risk of significant financial harm to corporations from non-compliance?

I am not convinced there is. Fines apply only to failure to report or failure to keep records and require cumbersome proceedings and proof of intent. Civil lawsuits are too costly to make sense in most cases, and the Privacy Commissioner may be dissuaded from using publicity for this purpose as a result of subsection 20(1.1), which prohibits disclosure of breach notification reports. I do not understand that section.

Until there are real financial incentives for corporations to take appropriate measures to prevent breaches from happening in the first place, and to otherwise comply with privacy laws, non-compliance with PIPEDA will continue to be a cost of doing business in Canada.

I'd like to finish with a few comments on private investigations. I am very concerned that, if the proposed changes to the current investigative body regime exception go through, this bill will actually set back privacy protection in Canada.

I will not repeat the able submissions of my colleague Dr. Geist on this subject, but let me just point out that in the new world of cheap data storage and powerful data analytics, the only limits on how far companies will go in their efforts to detect fraud, criticism, or contractual breaches will be what you put in this law. With today’s technology, it’s less costly to gather more data and to apply analytical tools to a large database than it is to restrict the intake of data to that needed in the first place.

In this context, insurance companies and other companies will, no doubt, argue that it's reasonable for them to conduct what amounts to broad and deep surveillance of their customers in order to detect fraud.

Paragraph 7(3)(d.2) would allow just that. It requires no formal investigation. The disclosure just needs to be reasonable, not even necessary as in the previous formulation in Bill C-12. This provision would open the door to routine sharing of personal data among organizations based on nothing more than the always present risk of fraud. Moreover, there would be no transparency or accountability requirements. It would be a major setback for consumer privacy.

I understand that this amendment was based on the Alberta model, but I looked at the Alberta model, and subsection 20(n) of the Alberta statute is not as permissive as this. It actually limits sharing to certain kinds of organizations.

I urge you to remove these clauses from the bill and stick with the current investigative body regime. I also urge you to adopt the transparency measures that my colleague Dr. Geist recommended.

Thank you very much.

Sure. Just to reiterate some of the opening remarks that I made along those lines, I think we've actually seen a lot of people come forward and express concern about the particular provision. But specifically in regard to the Privacy Commissioner's comments—and I thought it was a good question—as I noted in my opening remarks, I frankly think it's almost an unfair burden to say where's the evidence of harm from Alberta and B.C. when people are kept in the dark about when these disclosures take place.

By definition, we are talking about disclosures that may occur where there is no notification of the person who's affected. We're talking about providing those kinds of disclosures without consent and without further disclosure. So these may well be happening, which I would argue in some instances may well be harmful, but frankly the affected individuals simply don't know. Therefore, I think it is very difficult to reach the conclusion that somehow this hasn't been harmful. These disclosures may well be happening under that regime—and indeed the way that Ms. Lawson described it, it seems somewhat likely that they are occurring—but most people won't even know this is happening. Moreover, if we look at the cases where these kinds of issues do come to light, which is typically when it finally makes it to court, they invariably involve Internet service providers, telecom companies, and the like, cases that go through PIPEDA. The notion that somehow we can get a good sense of what will happen under PIPEDA based on the experience in Alberta and B.C., I think is simply wrong because we don't even know what's really been happening in Alberta and B.C., and even if we did, we can see what takes place under PIPEDA, that being real efforts to try to get disclosure without appropriate oversight.

Sorry, do you mean mandatory security breaches, or the transparency report?

Sure, to start with transparency reporting, I think what we've learned over the last year is that privacy has become a major issue for many Canadians. It's the enormity of disclosures that are taking place without any sort of awareness. This is happening, frankly, I think to all of us. This is outside of Snowden-type revelations. It comes down to telecom companies and others being asked to disclose information on individuals hundreds of times every week. Up until fairly recently, we weren't even aware that was taking place.

One way to counter that is not to say that where there's appropriate investigations...and now, through the Spencer decision, appropriate oversight, stopping that from taking place. I think Spencer makes it clear that we need to have court orders when that takes place. But what we need as well is the ability to understand at least in aggregate how this is taking place. Transparency reporting would achieve that.

What we've had so far in Canada is a bit of a mixed bag. We have had companies like Rogers and Telus providing reports, although they differ somewhat, but the largest company of all, Bell, is simply standing on the sidelines and not disclosing. I think there's a problem when you have millions of Canadian customers of a company like that who don't even know under what circumstances the company discloses this information, and how frequently they disclose it, oftentimes without court oversight. Mandatory transparency reporting would help fix that.

Yes, I'd like to just chip in here in terms of the B.C. situation. Our commissioner, Ms. Denham, in her submission to the special committee to review our PIPA on November 26, 2014, on page 21, noted the following:

Spencer may have clarified the constitutionality of warrantless disclosures to police, but it did not do the same for disclosures between organizations. It is currently not possible for my Office or for the public to know how much personal information has been or is being disclosed without the knowledge or consent of individuals under section 18(1)(c).

That's the equivalent of section 7.

For this reason, transparency reports should also include information about disclosures to other organizations.

The commissioner's approach was adopted by the special committee in B.C., and not only are they calling for transparency reports, they're also calling for them to be published—so, not secret reports but published reports.

We've seen a couple of the largest telecom companies in the country, such as Rogers and Telus, start to do it. We've seen smaller players like SaskTel and TekSavvy do it. I think it's clearly doable. We've seen larger players on the global stage that face far more complicated circumstances. Vodafone, for example, discloses this for 40-odd countries. The notion that a company like Bell can't, or more accurately, I think, won't, is a real problem. And, no, I don't see any significant challenge.

The real problem has been that so much of this has taken place under the radar screen. The point is that when you've got Privacy Commissioner auditors going into the RCMP and finding that their data is inaccurate and incomplete, that strikes me as an urgent problem that ought to be addressed.

I think they will be helpful, for the reasons that the Privacy Commissioner has already expressed to you.

I don't think that compliance agreements go far enough, though, in terms of giving the Privacy Commissioner the powers he needs to enforce compliance with this legislation. I don't understand why we don't give our federal Privacy Commissioner the same order-making powers as those given to his provincial counterparts, who administer similar legislation at the provincial level.

Those are two questions. I'll address the first one, which is the specific one about proposed section 6.1.

I think the useful thing to do is compare the proposed wording that you have in front of you with the text that was in the previous version of this bill, Bill C-12. The version that you have has a new phrase inserted.

The old one said:

the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences.

The new one says:

the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences.

First of all, changing “the individual” to “an individual” and then adding “to whom the organization's activities are directed” has now made it possible for organizations to simply direct their activities to the general adult population and not worry about the fact that children, seniors, or other vulnerable persons are notionally consenting to having their personal information used for things that they don't really understand.