Evidence of meeting #40 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was amendment.
A recording is available from Parliament.
11:45 a.m.
Conservative
The Chair Conservative David Sweet
Is there any other debate on NDP-10?
(Amendment negatived)
(Clause 7 agreed to)
(Clause 8 agreed to)
(On clause 9)
Clause 9, we have NDP-11.
11:45 a.m.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Mr. Chair, that amendment corresponds to an amendment that had already been defeated. Consequently I will withdraw it.
11:45 a.m.
Conservative
The Chair Conservative David Sweet
Okay. Does clause 9 carry?
(Clause 9 agreed to)
(On clause 10)
The first amendment we'll deal with is Liberal-3.
11:45 a.m.
Liberal
Judy Sgro Liberal York West, ON
Mr. Chair, maybe I'll speak to both amendments Liberal-3 and Liberal-4, because they both pertain to the same clause.
Both of these amendments were supported or proposed or contributed to by several witnesses, including those from the Insurance Bureau of Canada. They deal with the reporting threshold and the remedies for breaches.
Amendment Liberal-3 to clause 10 would require the reporting of any breach of security so long as said breach presented a real and significant threat of harm to an individual. The proposed amendment also clarifies the remedy associated with the breach.
If I can speak to amendment Liberal-4 on the same clause, this amendment was supported and proposed again by several witnesses, including those in the Insurance Bureau, and it requires that, unless otherwise prohibited by law, an organization shall, in accordance with any prescribed requirement, keep and maintain a record of every material breach of security safeguards involving personal information under its control. This amendment clarifies the previously broad nature of the provision and acknowledges that this legislation must exist within the context of a more complex system of law.
I was actually going to ask the department to comment on those two proposed amendments and what they attempt to do, which is to provide further clarification.
Would you like to elaborate on that?
11:50 a.m.
Director, Privacy and Data Protection Policy Directorate, Department of Industry
The amendment has two parts. Many witnesses came before this committee and talked about the threshold for when organizations would be required to report a privacy breach to the Privacy Commissioner and the thresholds for when they would be required to notify individuals. That's the substance of the first amendment.
The proposed amendment would create two thresholds. For a report to the Privacy Commissioner, the breach would need to be a material breach. The criterion for a material breach is essentially that there's an aspect of risk, but I would argue it's designed to be a less objective test. You do look at the sensitivity of the information, but primarily you look at how many individuals were affected. Then the organizations do an internal review, and they ask whether this represents a systemic problem and whether it is evidence that they have a bigger problem here that they should tell the Privacy Commissioner about.
The other threshold is, as proposed in Bill S-4, the notification to individuals. This is unchanged. It would be a breach that is determined to pose a real risk of significant harm. This is a risk-based threshold. We look at the circumstances, the sensitivity and the probability that the information will be misused and the potential harm that it could cause, and those are the breaches we would tell individuals about.
It establishes these two thresholds, so what the Privacy Commissioner would be told about wouldn't necessarily be the same data breaches that individuals would be notified about.
From my own perspective what I found interesting about the testimony that the committee heard is that, on the one hand, business organizations like this because they don't want to have to tell the Privacy Commissioner about the one-off breach, the one that was really serious but only affected four or five people. They wonder why they need to tip off the Privacy Commissioner that this has happened. They'd rather only tell the Privacy Commissioner about the big problems, and deal with these with their clients directly.
Privacy advocates, on the other hand, didn't see these two thresholds as necessarily different. They saw them as nested in some way, so that the material breach was actually a lower threshold and that the Privacy Commissioner would hear about all of those breaches that affect one-offs—two or three people. But then for the ones that go to the individual, it's a higher threshold of that higher risk. They saw it that way.
From a policy perspective and as administrators of the law, the fact that you saw those two different views suggests that the provisions are not necessarily as effective and clear as they could be, if you have different stakeholder groups interpreting them in very different ways.
The committee may be aware that those two thresholds, the material threshold and the real risk threshold, were in previous versions of government bills to amend PIPEDA. But when Bill S-4 was drafted, this issue was examined and it was determined that because of those competing views, it was more simple, more effective for there to be a single threshold. An organization would look at a data breach and they'd say, “Is there a risk of harm in this circumstance? If there is, I have to tell the Privacy Commissioner and I have to inform the individual.”
That way the Privacy Commissioner knows about every single data breach that goes out to individuals. But to create accountability and to make sure that organizations are conducting these risk assessments in good faith, Bill S-4 creates a new requirement that wasn't in previous bills, and that's to maintain the records.
The process is very straightforward. I have a data breach. I determine if there is a risk. If there is, the notification goes out. If the determination is that there isn't a risk, that this may be evidence of a systemic problem or something like that, I have to maintain a record. The policy rationale behind that is that as soon as you require an organization to record this information and maintain it, they're going to pay more attention to it and this is how they're going to determine whether or not they have a systemic problem.
Bill S-4 gives the Privacy Commissioner the power to demand those records at any point. There's no threshold. The commissioner doesn't have to have any suspicion that something's going on. He can ask to see a company's records.
This gets to the second part of the amendment, which deals with that record-keeping requirement.
The committee heard witnesses saying that they were concerned about this requirement. What information were they going to have to maintain in the record? How long were they going to have to keep it for? They were nervous about the burden that it would create. The only thing I would point out to the committee is that all of those specific requirements will be set out in regulation, and there will be an opportunity to consult broadly with it.
The intention of the record-keeping requirement is to maintain only that information that's necessary to meet those two objectives I talked about: making sure the company pays attention to it, and providing a way for the commissioner to hold the company accountable for that risk assessment.
To the extent that the requirement to document a data breach may create a conflict in law that may be contrary to some other law, we're not aware of any federal statute that would prohibit a company from documenting that they have suffered a data breach. As for the specific requirements, if there was concern that there may be a conflict in law if the regulations, say, you have to keep it for five years and there is some other requirement that says you have to destroy these things after two years, all of that would be addressed during the regulatory process and it wouldn't be necessary to have that chapeau in the act saying unless prohibited by law.
11:55 a.m.
Lawrence Hanson Assistant Deputy Minister, Science and Innovation, Department of Industry
I just would add one additional contextual point that I think may be helpful in terms of the discussion of data breach writ large. When we think of private sector privacy law, we often tend to think of the capacities of large telecommunication companies or financial institutions, but I think it's valuable for the committee to bear in mind with this legislation that small and medium-sized enterprises are also required to abide by PIPEDA.
An additional reason for this, beyond those that my colleague has explained, is that by having a single threshold, you do not force individual small and medium-sized firms, which may not have the same capacity or access to legal advice, etc., to have to sort of arbitrate or adjudicate among different standards, but rather just have a single, clear standard they are able to follow. I think that's another explanation for the single threshold.
11:55 a.m.
Conservative
The Chair Conservative David Sweet
Thank you, Mr. Hanson.
Is there any other discussion on Liberal-3 and Liberal-4?
We'll vote on them separately. First, we will have Liberal-3.
(Amendment negatived [See Minutes of Proceedings])
Now we'll vote on Liberal-4.
(Amendment negatived [See Minutes of Proceedings])
We're still on clause 10. Next will be NDP-12.
11:55 a.m.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Thank you, Mr. Chair.
In testimony on Bill S-4 we heard a lot of different opinions on the implementation of a notice mechanism for data breaches. This is a contentious point. In fact I examined this at length when drafting my bill. I am referring here to Bill C-475 which was unfortunately defeated because of the Conservative Party.
Through this amendment, I want to propose a more objective threshold. Indeed, I would like the Privacy Commissioner of Canada to be responsible for assessing the prejudice the person whose data has been lost, breached, and so on could suffer.
This legislation does not only apply to large businesses, but also to small ones. However, small enterprises do not necessarily have the necessary means to determine if the data breach is serious. These businesses could turn to the Privacy Commissioner of Canada. He knows these issues and is in a position to determine whether the data breach justifies notifying the person.
Moreover, this amendment would allow the Privacy Commissioner of Canada to order organizations to inform the persons concerned. This would also force organizations to notify people and would give the commissioner a little more power. Indeed, he could ensure that the privacy of individuals dealing with the organizations is respected.
I think this threshold is more objective, that it would afford better privacy protection, and that it would reduce the burden on small businesses.
Thank you.
Noon
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
I'll just ask the officials if they have anything to add from the last conversation we had.
Noon
Director, Privacy and Data Protection Policy Directorate, Department of Industry
Let me just point out to the committee how what is proposed is different from having the organization do an assessment of two thresholds in making that determination. As Madam Borg pointed out, the NDP amendment does create a two-step process, so an organization would first determine whether or not a breach posed a possible risk of harm and that would go to the Privacy Commissioner. Then the Privacy Commissioner would look at the data breach and determine whether or not notification to individuals was warranted.
The standard applied by the Privacy Commissioner would likely result in an appreciable risk of harm. The organization is accountable for telling the Privacy Commissioner, which creates an accountability on the part of the Privacy Commissioner to do a risk assessment and determine whether or not individuals will be notified. Bill S-4 places the accountability for both of those things on the organization itself.
Madam Borg's second point was that the amendment gives the Privacy Commissioner the power to order a company to notify individuals, whereas under PIPEDA currently and under Bill S-4, the Privacy Commissioner doesn't have the ability to make those orders.
Noon
Conservative
The Chair Conservative David Sweet
Thank you.
Is there any other discussion on amendment NDP-12?
(Amendment negatived [See Minutes of Proceedings])
Next will be amendment PV-14.
Mr. Hyer.
April 21st, 2015 / noon
Green
Bruce Hyer Green Thunder Bay—Superior North, ON
This amendment reverts back to the proposed language for notifying the Privacy Commissioner about security breaches, which is found in the previous PIPEDA reform bills C-12 and C-29, but it is stronger and clearer. Why? It creates a mandatory security breach disclosure requirement at the federal level, and that is long overdue. Geist at the Senate said that Bill S-4 establishes the same standard of “a real risk of significant harm” for both notifying the commissioner and the individuals, but also said this is very puzzling. It means that there is no notification for systemic security problems within an organization. This is very likely to result in significant under-reporting of breaches. Our amendment creates incentives for organizations to better protect that information and allows Canadians to take action to avoid risks including identity theft.
Noon
Conservative
Noon
Director, Privacy and Data Protection Policy Directorate, Department of Industry
I would just point out to the committee that there are three Green Party amendments that all relate to the data breach provisions, and as Mr. Hyer pointed out, this creates that separate threshold for notification of the Privacy Commissioner as the Liberal amendment did.
Noon
Conservative
The Chair Conservative David Sweet
All those in favour of amendment PV-14?
(Amendment negatived [See Minutes of Proceedings])
Would you like to speak to amendment PV-16, Mr. Hyer?
Noon
Green
Bruce Hyer Green Thunder Bay—Superior North, ON
These amendments lower the threshold at which an organization has to notify an individual about a breach. Instead of there being a judgment that there's a high risk of harm, an individual has to be notified if their information has ended up in the wrong hands.
For example, the California breach notification law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by any unauthorized person.
12:05 p.m.
Conservative
12:05 p.m.
Director, Privacy and Data Protection Policy Directorate, Department of Industry
Mr. Chair, the only thing I would point out to the committee is that, as Mr. Hyer points out, this eliminates a risk-based threshold and essentially replaces it with a requirement to notify individuals if the organization believes that some unauthorized person has accessed the information.
I would make two points. One is that the Privacy Commissioner testified before this committee and has long advocated for a risk-based approach, recognizing that we don't want to tell individuals about data breaches that don't actually pose a risk of harm. You want them to be told of those that they need to pay attention to, because part of the objective of notifying people is getting them to take action to mitigate or reduce the risk of harm, such as changing their PIN, calling their bank, and monitoring their credit card statements. If you create a system whereby individuals are constantly being notified of breaches where there isn't necessarily a risk of harm, you run the risk that they'll stop paying attention to them and they won't take the action that you want them to take.
The second point I would make is with respect to the California data breach law. The personal information covered by that law is much narrower than under PIPEDA. Under PIPEDA, the definition of “personal information” includes any “information about an identifiable individual”, so a lot of non-sensitive information is included, whereas the California law has a very specific subset of personal information, which is risky. It is highly sensitive information. Read together, it makes more sense that the California law applies to all data breaches and doesn't take this risk approach, because it already narrows what personal information it covers.
12:05 p.m.
Conservative
The Chair Conservative David Sweet
Thank you, Mr. Clare.
All those in favour of amendment PV-16?
(Amendment PV-16 negatived [See Minutes of Proceedings])
Those are all the proposed amendments for clause 10. Shall clause 10 carry?
12:05 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
Wasn't there one more? He still has one more.
12:05 p.m.
Green
Bruce Hyer Green Thunder Bay—Superior North, ON
No problem, Mr. Chair.
These amendments deal with the lines that greatly expand the regime of warrantless disclosure to law enforcement and government agencies. Canadian telecommunications providers that collect massive amounts of data about their subscribers are asked to disclose basic subscriber information to Canadian law enforcement agents every 27 seconds. In 2011 alone, that added up to over a million disclosures.
Warrantless disclosure, in proposed subsection 10.2(3) and Bill C-13, plus the information-sharing provisions in Bill C-51, create an extremely worrisome system of surveillance, opening the door for a more Big Brother sort of government.