Industry committee  Yes.

Industry committee  Yes, I do.

Industry committee  Sorry, I'm not sure what you're referring to. Is it something in Bill S-4?

Industry committee  Well, certainly giving the Privacy Commissioner the power to make and enforce compliance agreements is a step forward. It's not nearly as great a step as should be in here, but it's something. Certainly having the security breach notification regime, some kind of regime in place, for reporting to the commissioner and to individuals is better than nothing, in my view.

Industry committee  If you're going to rely on consent and you want it to be meaningful, then forget negative-option or hidden consent. Everyone knows that no one has the time to read or the ability to figure out where it is hidden in the 20 pages of fine-print legalese. Let's go with real, meaningful consent, which is affirmative opt-in express consent, for all non-essential collection, use, and disclosure of personal data.

Industry committee  I think Dr. Geist made a good point in that respect in suggesting that we look at the anti-spam law this government has passed and the attention it's getting from industry. Dollars matter, but it's also the process. With fines, quasi-criminal fines, that require prosecution and proof of intent, even if they are high, the risk of a company being fined is very low.

Industry committee  Sure, thanks. I actually wouldn't call it a subjective test. I think it still is an objective test; the problem is that it's left up to industry to apply that test, and there is not enough oversight or incentive to ensure they are doing it properly. One solution is to have the Privacy Commissioner be able to review the breaches and determine which breaches require, for example, notification of individuals.

Industry committee  Yes. To be fair, it is an objective test. If you look, for example, at proposed subsection 10.1(1), it says: An organization shall report to the Commissioner....if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.

Industry committee  No, I did not. I was not invited and I did not appear or participate at the Senate stage. However, I believe both CIPPIC and PIAC did, and they made a number of the same points that I'm making now. When I look back at the debates, many of these points were made at that stage, and I just don't understand why those amendments were not made by the Senate.

Industry committee  No, I did not.

Industry committee  Perhaps I could jump in.

Industry committee  I have three points in answer to your question. I agree with everything Dr. Geist just said. The first point is to put in place hard limits where we can. For example, when it comes to protecting children and seniors, just say in the act under subsection 5(3), which is already a hard limit but is vague, that it include no marketing of children or seniors; no collection, use, or disclosure of personal data of children and seniors for marketing purposes.

Industry committee  I would say to stop focusing on consent so much and put in place some hard limits. Let's acknowledge that consent is unrealistic in many situations, and put in place hard limits on what companies are allowed to collect in the first place and use and disclose later on.

Industry committee  Absolutely; I would say that the first and foremost most important purpose of breach notification is to put in place incentives for the companies themselves to put in place the security measures that prevent the identity theft from happening in the first place. But I'm concerned for the reasons I've expressed.

Industry committee  I was doing this bit of turn of phrase taking the legislation as it applies to security breach notification and applying it to companies. I think you need to step back, look at the big picture, and say, “Is this going to be effective? Are there sufficient incentives for industry to comply?”