Information & Ethics committee  We're satisfied with the regulatory approach to a breach. It was originally a self-regulatory regime. The self-regulatory regime was built as a result of consultation. It was actually a great example of the kind of collaboration the PIPEDA model affords. As data breaches became more of an issue through the last five or 10 years, the Privacy Commissioner and others recognized—I don't think there was disagreement within the business community—that there was more of a need to raise the bar and have a formal set of reporting requirements.

Information & Ethics committee  I don't want to use the word “onerous”, but there is a job to be done, and to do it properly, organizations, especially large organizations, are going to have to change their processes and develop training to make sure that the appropriate staff are properly trained to handle the breach protocols.

Information & Ethics committee  I think that could be challenging in terms of who we're defining as children. The users of social media, as you pointed out at the outset, are very wide-ranging. You have younger children and then you have teens who spend a great deal of time on social media. I'm not sure how some of those users, or their parents for that matter, would react to organizations arbitrarily removing information that has been posted by those individuals.

Information & Ethics committee  This is a challenging area in terms of actual implementation. I mentioned in my remarks that we have in our code of ethics stringent guidelines regarding the collection of children's data. Marketers who are doing so are required to obtain express consent from parents or guardians, but—

Information & Ethics committee  We have some gradients. There are some issues around teenagers. Teenagers in our society start to assume a greater level of responsibility for their own activities, so our code of ethics does have different provisions for teenagers, but also more stringent provisions on the collection of data from teenagers as opposed to adults, people who have gained age of majority.

Information & Ethics committee  Thank you, Mr. Chair. Thank you to the committee for the invitation to appear before you today to present CMA's views on your study of the Personal Information Protection and Electronic Documents Act, also well known as PIPEDA. CMA is the largest marketing association in Canada.

Industry committee  Because of the language in the bill, there is not really a threshold established. It just says, “any breach of security safeguards involving personal information”. That could be something as minor as a list of addresses being left out, something very, very minor in the historical context of personal information under PIPEDA.

Industry committee  Our concern is that it could be taken to extremes and we haven't seen the regulations. You're correct. We'll have an opportunity to sit down in that process and one would hope the outcome would be a reasonable framework that wouldn't impose too great a burden. Our concern was simply that there could have been some mention of threshold in the law and that would have given reassurance to business.

Industry committee  I would agree with that. Having the penalties in the act does provide some additional teeth to the law that will get the attention of those who maybe need to pay closer attention to their privacy obligations. But for the most part, as Mr. Smith indicates, the business community increasingly has been understanding the importance of privacy and its responsibilities in terms of adhering to the requirements of PIPEDA.

Industry committee  The Canadian Marketing Association did.

Industry committee  Yes, I think we would agree that added period of time is helpful to the commissioner.

Industry committee  Individual organizations have a lot at stake in terms of ensuring that they properly weigh the impact of any breach on their customers. Their most important assets as business organizations are their customers, so making that sort of evaluation is one of the most important functions an organization has to take on when there is a breach situation.

Industry committee  I would suggest that it will lead to an appropriate level of reporting, and reporting those breaches that should be reported both to the Privacy Commissioner, and most importantly, to affected consumers.

Industry committee  I would hearken back to the minister's comments a week or so back when he was talking about proposed section 6.1 being designed or intended to better protect the especially vulnerable groups, particularly vulnerable groups in society such as children, and I think that is an important objective of PIPEDA.

Industry committee  Yes, thanks. To reiterate in a little more detail, Scott is correct in highlighting that the law has been in effect for over a decade now. It's an ongoing process. Organizations are constantly upgrading their security procedures and practices, and their technology. All of us are reading about technological changes every day, and those pose new challenges for marketers and for businesses every time there is a significant development.