Information & Ethics committee  I think when you're talking about order-making powers as distinct from penalties, which I think is a bit of a different argument, it really does come to that point. It's about collaboration. I'm here today representing the CMA, but I'm in private practice and I have other clients.

Information & Ethics committee  If I may just add to that, as a very specific example within the regulations now for “publicly available”, one of the categories talks about how if it's “published”, and it gives examples of being published in a newspaper or a magazine or things like that. We've had several interpretations out of various privacy commissioners' offices across the country that say you can publish a blog every day and have 50,000 readers, but that anything you publish on that blog does not count as being publicly available for the purpose of the regulation.

Information & Ethics committee  I'm certainly not an expert in California law, but I would point out that currently under PIPEDA, and under the principles at the end, there's a general right to withdraw consent for the use of any personal information, subject to contractual or legal restrictions. I would think that in a situation where someone had posted something themselves and wanted it removed, and there was no other valid contractual or legal reason an organization should keep or post it, in many cases PIPEDA would now require that it be removed.

Industry committee  I'd preface my remarks by saying I'm not sure this is really an issue that the Canadian Marketing Association is pushing. That being said, I wear other hats, so I would say that the practice is a bit mixed across the country with regard to voluntary disclosure to law enforcement.

Industry committee  I think that is probably one that's better put to the drafters who know the law, frankly.

Industry committee  If I could add to that, I would say that the other thing working here is that in all cases, this is being overseen by the Office of the Privacy Commissioner. At first instance, a business may make the call as to whether something creates a significant risk of harm, but ultimately that will be up to the OPC to review at some point, or a court, and if organizations get it wrong, that's an offence under this act.

Industry committee  I think, as we heard from the Privacy Commissioner himself this morning, the experience with the breach of reporting regime in Alberta and with the voluntary regime in the rest of Canada shows that companies are tending to over-report.

Industry committee  Thank you for the question. The overcollection I was referring to was, I think, a likely outcome of proposed section 10.3 in the bill that requires organizations to “keep and maintain a record of every breach of security safeguards involving personal information under its control”.

Industry committee  Yes. I think we already have standards in this bill and in previous bills that could be helpful in terms of talking about, for example, we think it's certainly reasonable to keep records if it's reasonable that the breach would create a real risk of significant harm to an individual.That's already proposed for notification of individuals and the Privacy Commissioner.

Industry committee  I guess the assumption is that it must do something, otherwise Parliament would not enact such a provision.

Industry committee  I'm not really seeing how that would work. Again, the wording currently says that you have to state purposes in such a manner that the individual can reasonably understand how the information will be used or disclosed. The wording now says similar things; it says, “would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information”.

Industry committee  What I would say is, if this doesn't do anything, then there's no reason for it to be here.

Industry committee  If it is here, I'd like to better understand what it does that's different from what we already have, where we already have this requirement that the individual needs to understand the purposes, and where we already have guidance from the OPC about how to treat children, for example, and other disadvantaged groups.

Industry committee  Again, part of it is that we don't really know. If it is a clarification, it might be useful to have a revision that says “for greater certainty”, or something like that to indicate that we are just trying to clarify an existing obligation. Our concern is what this means additive to what's already here.

Industry committee  Thank you for that question, Mr. Lake. The concern is that we already have language in the law which says that to make a consent meaningful, the purposes must be stated in such a way that the individual can reasonably understand how the information will be used or disclosed. What we're trying to understand is what additional requirement is being proposed under this consent, particularly given that we've already had decisions out of the OPC and guidance issued particularly about vulnerable groups.