Industry Committee on March 10th, 2015

Evidence of meeting #36 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.

A recording is available from Parliament.

On the agenda

Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act

MPs speaking

Also speaking

Philippa Lawson Barrister and Solicitor, As an Individual

Vincent Gogolek Executive Director, BC Freedom of Information and Privacy Association

Michael Geist Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual

11:55 a.m.

Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual

Dr. Michael Geist

Sure. Perhaps I'll start by highlighting a couple of things.

We've talked, obviously, about the security breach rules and about the voluntary disclosure, but focus for a moment on penalties and order-making power. I think that to an expert in privacy who came to Canada and learned that our federal commissioner does not have order-making power, that would be, frankly, stunning. His provincial counterparts have it. His counterparts around the world have it. Frankly, it's embarrassing for our federal commissioner to go to international meetings of other similarly placed data protection and privacy commissioners and find that he simply doesn't have order-making power as his counterparts do. To me, compliance agreements are a step in the right direction, but order-making power is actually the more appropriate solution.

With respect to penalties, I think you're right. I think tougher penalties do make a difference. If anything, the government has provided us with a good example of how that can happen: the anti-spam legislation, which of course is coming in for some amount of criticism, but I was a supporter of it. I was on the national task force that looked at this issue, and I appeared before a committee. I think one of the places where it gets it right is with tough penalties and a clear opt-in consent approach. It basically says that consent is a fiction at some point in time, but it's a particular fiction under PIPEDA. We somehow have reached the conclusion that things like negative option check boxes, the little boxes at the bottom of a web page that you're never quite sure if you're supposed to check or uncheck if you want to have your information used or not—it's oftentimes designed to be confusing—are appropriate as a standard of consent. That's bunk. I mean it's clearly not.

What CASL, the anti-spam legislation, tried to do, was up that with opt-in consent and real penalties. We saw the CRTC come forward with more than a million-dollar penalty against one organization just last week. Those are the kinds of penalties that get the attention of organizations. That's a higher standard with respect to consent that I think also clearly has an impact. In some ways we have a model—the government has passed it—with respect to commercial electronic marketing. What we need to do now is to take that sort of model and acknowledge that it ought to apply far more broadly with respect to privacy protection in the private sector.

Noon

Barrister and Solicitor, As an Individual

Philippa Lawson

Perhaps I could jump in.

Noon

Conservative

The Chair Conservative David Sweet

Sure.

Noon

Liberal

Judy Sgro Liberal York West, ON

Go right ahead, Ms. Lawson.

Noon

Barrister and Solicitor, As an Individual

Philippa Lawson

I have three points in answer to your question. I agree with everything Dr. Geist just said.

The first point is to put in place hard limits where we can. For example, when it comes to protecting children and seniors, just say in the act under subsection 5(3), which is already a hard limit but is vague, that it include no marketing of children or seniors; no collection, use, or disclosure of personal data of children and seniors for marketing purposes. That's already in the marketing industry's code of conduct. Put it in the legislation.

The second point is on real consent. As Dr. Geist said, forget this fiction of negative-option consent. Require express opt-in consent for all non-essential uses of customer data, including marketing. What I found in my research is that companies across the board are now including marketing as one of their primary purposes of collecting our data in order to provide the service we've asked them to provide. They are now treating marketing as a primary purpose. They're certainly not getting express consent. In many cases they're not even getting negative-option consent; they're not even letting us opt out of that.

The third point is on order-making powers. As Dr. Geist said, penalties should be easy to impose. Penalties should not require intent, proof of intent, and quasi-criminal proceedings, but should be administrative monetary penalties such as what the anti-spam law is using.

Noon

Liberal

Judy Sgro Liberal York West, ON

Mr. Gogolek.

Noon

Executive Director, BC Freedom of Information and Privacy Association

Vincent Gogolek

Just to elaborate a little bit and maybe take it to a slightly different place and come back to some of the things we were talking about before, one of the advantages of having penalties is that penalties generally are reported: company X was fined by the Privacy Commissioner. It's not just the monetary hit, but the reputational hit. Companies that have bad practices and bad procedures will have to pay a price for it. They will pay the price in terms of the fine, but they will also have to pay a price in the marketplace. As for deals with the private sector, companies don't want to be obviously and consistently deficient in protecting the personal information of their customers.

Noon

Liberal

Judy Sgro Liberal York West, ON

I have one further question.

In your report, Mr. Gogolek, you mentioned bringing Canadian political parties under PIPEDA.

Would you like to elaborate a bit on that?

Noon

Executive Director, BC Freedom of Information and Privacy Association

Vincent Gogolek

You are the politicians. You've presumably all used your various party data bases. You know that there's a lot of information collected on a lot of people. One of the problems is that parties are not subject to any restrictions on this. All the various penalties and protections we've been talking about here in terms of the private sector don't apply to political parties, at least not at the federal level.

Again, I would offer you the example of the situation in British Columbia, where the parties are subject to the act and where we have seen the process in action, with the commissioner conducting investigations and issuing reports as a result of complaints about how personal information was being dealt with or about party procedures. The parties have changed the way they deal with things and life goes on. I think everybody involved has a better feeling of how the system works. At least we know that there is some level of protection. If something goes wrong or we feel uncomfortable, we do have an avenue of redress, which doesn't exist right now at the federal level.

Noon

Conservative

The Chair Conservative David Sweet

Thank you.

And now we go to Mr. Warawa, for eight minutes.

Noon

Conservative

Mark Warawa Conservative Langley, BC

Thank you, Chair.

Thank you to the witnesses here today.

I think each of the witnesses is aware that there have been hearings back to 2006, which I think Mr. Geist referred to.

PIPEDA was written in the 20th century. It's over a decade old and it needs to be improved. This is what Bill S-4 attempts to do.

Also, it is almost impossible to get unanimous support for any piece of legislation, so I think there has been a lot of energy that's gone into improving PIPEDA. Canadians want companies to tell them if their personal information has been lost or stolen and if they've been put at risk. I think that consent needs to be appropriate, particularly for target groups like children.

Dr. Geist, you've been involved with providing input to the Senate. You were involved in the hearings back in 2006.

My question is for Mr. Gogolek. When the Senate dealt with this at committee a year ago—not quite a year ago, but when the hearings at the committee in the Senate were beginning on Bill S-4, did you appear as a witness? As you're aware, any legislative changes have to be supported in both Houses, and Bill S-4 began in the Senate and is now in the House of Commons. Were you a witness when this was dealt with at the Senate?

12:05 p.m.

Executive Director, BC Freedom of Information and Privacy Association

Vincent Gogolek

No, I was not.

12:05 p.m.

Conservative

Mark Warawa Conservative Langley, BC

Did you provide a submission?

12:05 p.m.

Executive Director, BC Freedom of Information and Privacy Association

Vincent Gogolek

No, we did not.

12:05 p.m.

Conservative

Mark Warawa Conservative Langley, BC

Why not?

12:05 p.m.

Executive Director, BC Freedom of Information and Privacy Association

Vincent Gogolek

Well, we were not asked.

12:05 p.m.

Conservative

Mark Warawa Conservative Langley, BC

We do get submissions regularly presented to the chair, and this is a very important issue, and I welcome your input today, but again, any changes, amendments, would have to be agreed in both the Senate and the House, so if we were to make amendments now, after all this work, it would have to go back to the Senate. There is not adequate time for it to be passed in this Parliament.

Ms. Lawson, did you appear as a witness at the Senate?

12:05 p.m.

Barrister and Solicitor, As an Individual

Philippa Lawson

No, I did not. I was not invited and I did not appear or participate at the Senate stage.

However, I believe both CIPPIC and PIAC did, and they made a number of the same points that I'm making now. When I look back at the debates, many of these points were made at that stage, and I just don't understand why those amendments were not made by the Senate.

12:05 p.m.

Conservative

Mark Warawa Conservative Langley, BC

Did you provide a submission when this was dealt with at the Senate?

12:05 p.m.

Barrister and Solicitor, As an Individual

Philippa Lawson

No, I did not.

12:05 p.m.

Conservative

Mark Warawa Conservative Langley, BC

Okay.

Chair, I think it would have been very helpful if these points had been made at both the Senate and the House.

My question relates to a presentation made by the commissioner. The commissioner made a presentation not quite a year ago, in June of last year, before the Senate committee as they were dealing with Bill S-4, and then appeared before this committee on February 17.

I just want to read the summary of the commissioner. The commissioner does have new tools and greater flexibility to enforce PIPEDA. The commissioner said:

Overall, the introduction of Bill S-4 is a positive development for privacy protection in Canada. PIPEDA was written in the 20th century. It is more than a decade old. From a privacy perspective, the world has changed dramatically during this relatively short time. Passing Bill S-4 with a few adjustments will strengthen PIPEDA and help the Office of the Privacy Commissioner better protect Canadians while addressing the emerging privacy issues of the 21st century.

Also unable to be with us today, Chair, is the Insurance Bureau of Canada. They provided a submission to the Senate when this was dealt with last year and they've communicated their support for aspects of the bill, particularly the fraud prevention measures.

Generally, the committee has heard support for this, and it's important that we provide the protection Canadians want. Bill S-4 does that.

Do any of the witnesses here today have a critique of the commissioner's perspective in supporting Bill S-4 going ahead?

March 10th, 2015 / 12:10 p.m.

Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual

Dr. Michael Geist

Sure. I'll do that. I'd also like to just note a couple of things. The commissioner did not appear before the Senate committee on Bill S-4. Because of the long delays in getting a commissioner appointed at that time, there was no commissioner, but people from that office were in a position to appear because it had been studied. So the commissioner actually didn't appear on Bill S-4.

In terms of lengthy study, with respect, let's be clear. The committee began a review of this bill in November 2006, and by May of 2007 it released its report.

We got first reading of Bill C-29 in May 2010. A second reading took until October. There were never any hearings held on Bill C-29.

The next bill that was introduced was Bill C-12, which was the second attempt at this bill. It sat at second reading for two years without moving forward. There were no committee hearings held on it.

We finally now have Bill S-4, on which there were two sets of hearings. Four days were allocated to this piece of legislation within the Senate: one day for the minister to appear; another day for clause-by-clause; two days for hearings. So if we're going to talk to witnesses about not having appeared, frankly, there were very, very few witnesses who had the opportunity to appear at all. This is, with all respect, not a well-studied bill. It is a bill that has now come through three times, and in most instances there has been no study whatsoever. When the Senate had the chance to hear on this bill, there was not even a privacy commissioner in place to deal with it, due to the long delay in finding a new commissioner to replace Commissioner Stoddart and later acting commissioner Chantal Bernier.

With respect to the commissioner's support, yes, I too can cherry-pick particular comments from the Privacy Commissioner about where the commissioner supports the legislation, but I can also note that the commissioner's office has been consistent in saying that it finds it problematic with respect to voluntary disclosure, and yet that hasn't changed, and in identifying a number of other improvements.

So the question is this. Is this a well-studied bill that we ought to get on with? With respect, it is both not well studied and ought to be fixed. Canadians deserve better.

12:10 p.m.

Conservative

The Chair Conservative David Sweet

Go ahead, Mr. Gogolek.

12:10 p.m.

Executive Director, BC Freedom of Information and Privacy Association

Vincent Gogolek

I have another quick point, which is that, as I mentioned at the beginning of my prepared remarks, the government has decided to refer the bill to this committee before second reading. Presumably, that is because it is open to amendments beyond the statement of principles of the bill. I find your remarks a little puzzling in terms of the difficulty that could ensue if amendments were to be made. Presumably, the government and the government House leader would have been aware of those difficulties when they in fact took the unusual step of breaking the normal process of things, and referring Bill S-4 to this committee before second reading.

12:10 p.m.

Conservative

The Chair Conservative David Sweet

Thank you very much, Mr. Gogolek.

We'll move on now to Ms. Nash for eight minutes.