Bill C-12 (Historical)
Safeguarding Canadians' Personal Information Act
An Act to amend the Personal Information Protection and Electronic Documents Act
This bill was last introduced in the 41st Parliament, 1st Session, which ended in September 2013.
Christian Paradis Conservative
Second reading (House), as of Sept. 29, 2011
(This bill did not become law.)
This is from the published bill. The Library of Parliament often publishes better independent summaries.
This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things,
(a) exclude, in certain circumstances, business contact information from the application of Part 1 of that Act;
(b) specify the elements of valid consent for the collection, use or disclosure of personal information;
(c) permit the disclosure of personal information without the knowledge or consent of the individual for the purposes of
(i) identifying an injured, ill or deceased individual and communicating with their next of kin,
(ii) performing police services,
(iii) preventing, detecting or suppressing fraud, or
(iv) protecting victims of financial abuse;
(d) clarify the meaning of lawful authority for the purpose of disclosures to government institutions of personal information without the knowledge or consent of the individual;
(e) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of the individual, personal information
(i) contained in witness statements related to insurance claims, or
(ii) produced by the individual in the course of their employment, business or profession;
(f) permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of the individual, personal information related to prospective or completed business transactions;
(g) permit federal works, undertakings and businesses to collect, use and disclose personal information without the knowledge or consent of the individual to establish, manage or terminate employment relationships;
(h) provide a framework for organizations to notify individuals proactively about disclosures of their personal information made in certain circumstances to government institutions; and
(i) require organizations to report material breaches of security safeguards to the Privacy Commissioner and to notify certain individuals and organizations of breaches that create a real risk of significant harm.
April 21st, 2015 / noon
Bruce Hyer Thunder Bay—Superior North, ON
This amendment reverts back to the proposed language for notifying the Privacy Commissioner about security breaches, which is found in the previous PIPEDA reform bills C-12 and C-29, but it is stronger and clearer. Why? It creates a mandatory security breach disclosure requirement at the federal level, and that is long overdue. Geist at the Senate said that Bill S-4 establishes the same standard of “a real risk of significant harm” for both notifying the commissioner and the individuals, but also said this is very puzzling. It means that there is no notification for systemic security problems within an organization. This is very likely to result in significant under-reporting of breaches. Our amendment creates incentives for organizations to better protect that information and allows Canadians to take action to avoid risks including identity theft.
March 10th, 2015 / 12:45 p.m.
Barrister and Solicitor, As an Individual
I agree, and I like the section for that reason. It provides the clarification that the industry needs. However, the point I'm making is that those additional words that are not in the formulation from Bill C-12 actually restrict the application of this. They do not expand it; they restrict it. The earlier formulation was that consent is only valid if it's reasonable to expect that the individual understands it. That means that it has to be reasonable to expect that the individual in question in that particular transaction understands it. So the earlier formulation covers everyone. If it's a child, if it's a senior, whoever it is, that individual needs to be able to understand it.
The new formulation restricts it. The new formulation says that you only have to worry about individuals to whom you are directing your activities, and it's very easy for an organization to say, “We are directing our activities to adults, not to children.”
March 10th, 2015 / 12:35 p.m.
Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual
I think that if every time a USB key went missing, there were requirements to disclose, then yes, you would find that organizations would be spending a lot of time disclosing. However, if we look back at the Bill C-12 and Bill C-29 standard, that's not the standard we talked about. It set a material breach as the standard.
You can debate whether or not that's the appropriate standard, but at a minimum it gets us at a number of breaches that this law will not. Moreover, it does so in a way that I think was good for companies too, because rather than companies being faced with this either/or of going to the expense and potential embarrassment of simply disclosing or not, it said as an intermediary step, let's discuss this on a confidential basis with the Privacy Commissioner's office and determine whether or not it warrants that broader disclosure.
Frankly, that was a good thing for organizations to potentially avoid having to make those broader disclosures, in some circumstances, and it provided the comfort of ensuring that users knew that, at a minimum, we had an advocate, the Privacy Commissioner, who was going to be made aware of these circumstances.
It's puzzling to me why this was removed in favour of a process that, frankly, does less to protect Canadians and, ultimately, actually can create larger costs for companies as well.
March 10th, 2015 / 12:10 p.m.
Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual
Sure. I'll do that. I'd also like to just note a couple of things. The commissioner did not appear before the Senate committee on Bill S-4. Because of the long delays in getting a commissioner appointed at that time, there was no commissioner, but people from that office were in a position to appear because it had been studied. So the commissioner actually didn't appear on Bill S-4.
In terms of lengthy study, with respect, let's be clear. The committee began a review of this bill in November 2006, and by May of 2007 it released its report.
We got first reading of Bill C-29 in May 2010. A second reading took until October. There were never any hearings held on Bill C-29.
The next bill that was introduced was Bill C-12, which was the second attempt at this bill. It sat at second reading for two years without moving forward. There were no committee hearings held on it.
We finally now have Bill S-4, on which there were two sets of hearings. Four days were allocated to this piece of legislation within the Senate: one day for the minister to appear; another day for clause-by-clause; two days for hearings. So if we're going to talk to witnesses about not having appeared, frankly, there were very, very few witnesses who had the opportunity to appear at all. This is, with all respect, not a well-studied bill. It is a bill that has now come through three times, and in most instances there has been no study whatsoever. When the Senate had the chance to hear on this bill, there was not even a privacy commissioner in place to deal with it, due to the long delay in finding a new commissioner to replace Commissioner Stoddart and later acting commissioner Chantal Bernier.
With respect to the commissioner's support, yes, I too can cherry-pick particular comments from the Privacy Commissioner about where the commissioner supports the legislation, but I can also note that the commissioner's office has been consistent in saying that it finds it problematic with respect to voluntary disclosure, and yet that hasn't changed, and in identifying a number of other improvements.
So the question is this. Is this a well-studied bill that we ought to get on with? With respect, it is both not well studied and ought to be fixed. Canadians deserve better.
March 10th, 2015 / 11:45 a.m.
Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual
My concern with the security breach disclosure provisions, which I think quite clearly are long overdue—we've been passed by by so many other countries and jurisdictions on this—is frankly that we had it better in the earlier iterations of this bill, in Bill C-12 and Bill C-29, which, as I'm sure you know, created a two-step process.
The first step is notification to the Privacy Commissioner of a material breach, and that, of course, didn't include the necessity of the real risk of significant harm. It was more a matter of the breach itself.
Then you get into the secondary question of under what circumstances you go down the much more challenging avenue of having to disclose this breach to everyone who's affected, recognizing that there may be circumstances in which that's appropriate and others in which it's not.
What we've done here, by removing that and creating a higher threshold for all disclosures, I think means that systemic breaches don't get disclosed. It means that, many times, important material breaches simply don't get disclosed, and organizations that have underlying problems don't have to fess up at all.
I think we recognize that in some circumstances we have the incentives for organizations not to disclose because of the costs and the embarrassment factor. We also want to ensure that we don't have so many disclosures that consumers are receiving notifications on a daily basis, and they simply tune all of that out.
There is a balance to be struck, but I think we did a much better job, the government did a much better job, of striking that balance, particularly for things like systemic breaches within an organization, by saying, “Surely that's the sort of thing that we would want the Privacy Commissioner's office to know about”, and yet we've effectively removed that in this bill. It's hard to understand why.
March 10th, 2015 / 11:15 a.m.
Barrister and Solicitor, As an Individual
Thank you very much.
Good morning, committee members. Thank you for the opportunity to address you on the matter of Bill S-4, which proposes amendments to PIPEDA.
My involvement with this legislation goes back to its genesis with the CSA model privacy code and the subsequent initiatives to legislate voluntary standards. As a lawyer with the Public Interest Advocacy Centre at the time, I was a public interest representative on the committee that drafted the code. I later advocated for legislation that eventually took the form of PIPEDA.
I have been closely involved with PIPEDA ever since, first in my role as a consumer advocate with PIAC and later as director of CIPPIC, both of whom I understand you have already heard from. In particular, I have conducted studies of private sector compliance with PIPEDA. I have lodged a number of PIPEDA complaints with the Privacy Commissioner. I have taken the Privacy Commissioner to court in order to establish that she had jurisdiction to enforce PIPEDA against foreign corporations acting in Canada. I published a study of security breach notification laws in 2007. I've been urging the government to adopt mandatory security breach notification laws since 2003.
Today I am speaking on my own behalf as a lawyer and privacy advocate. The last formal submissions I made on PIPEDA reform were in 2008 in my role as director of CIPPIC. Those submissions focused on three issues: security breach notification, protection of minors, and compliance and enforcement. The analysis and proposals made in those comments remain apt today, and I would be happy to provide copies of that submission to anyone who is interested.
I'm happy to see that the government has seen fit to address all three of these issues in Bill S-4, but I am disappointed that the measures in each case fall far short of what is needed. I will address each of these three topics briefly, but before doing so I would like to address an elephant in the room. That elephant is consent.
There is a pretense that companies are obtaining informed consent from customers to the collection, use, and sharing of their personal data. But anyone who takes the time to study what is actually going on will quickly see that this is, to a large extent, a fiction and that meaningful consent is rarely obtained from consumers.
Negative option consent is commonly used but rarely brought to the attention of customers. Consent is in fact often assumed simply by virtue of use of the service. Changes to privacy policies are simply posted on the company website and customers are expected to inform themselves. No one really expects individuals to read through lengthy, complex terms of service for every transaction. People simply don't have the time. If they do take the time to read the terms, they may find that they are notionally consenting to have their personal data used for purposes such as—and I'm quoting here from privacy policies that I've looked at—research, marketing, product development, and business purposes. In further violation of PIPEDA, many companies are refusing to deal with customers who won't agree to unnecessary uses of their personal data, such as marketing.
A reality check is needed on what is happening in the marketplace with so-called customer consent. In the meantime, proposed section 6.1 is a helpful qualification on what the law already requires. It may have some positive effect on what is, in my respectful submission, a widespread disgrace.
However, the current wording of proposed section 6.1 could actually have a perverse effect on the protection of children or seniors. If you read the clause, you will see that it fails to protect vulnerable populations to whom an organization's activities are not directed. All that a company needs to do to exploit children is to direct its activities to adults and then turn a blind eye to the fact that children are signing up. A simple fix is to revert to the earlier wording of this clause found in Bill C-12. However, if if the aim is to protect children, a much more effective approach is simply to prohibit certain uses of personal data about children.
I have a few words on breach notification. This is long overdue, and it will certainly be an improvement on the current situation. But are the proposed rules going to be effective? Breach notification is about more than notifying individuals. An equally important goal is to create incentives for organizations to put in place strong security safeguards.
In order to create such incentives, there needs to be a real risk of significant financial harm to a corporation from failing to put in place adequate security measures. This is the test you should be applying to your assessment of the proposed breach notification regime: is there a real risk of significant financial harm to corporations from non-compliance?
I am not convinced there is. Fines apply only to failure to report or failure to keep records and require cumbersome proceedings and proof of intent. Civil lawsuits are too costly to make sense in most cases, and the Privacy Commissioner may be dissuaded from using publicity for this purpose as a result of subsection 20(1.1), which prohibits disclosure of breach notification reports. I do not understand that section.
Until there are real financial incentives for corporations to take appropriate measures to prevent breaches from happening in the first place, and to otherwise comply with privacy laws, non-compliance with PIPEDA will continue to be a cost of doing business in Canada.
I'd like to finish with a few comments on private investigations. I am very concerned that, if the proposed changes to the current investigative body regime exception go through, this bill will actually set back privacy protection in Canada.
I will not repeat the able submissions of my colleague Dr. Geist on this subject, but let me just point out that in the new world of cheap data storage and powerful data analytics, the only limits on how far companies will go in their efforts to detect fraud, criticism, or contractual breaches will be what you put in this law. With today’s technology, it’s less costly to gather more data and to apply analytical tools to a large database than it is to restrict the intake of data to that needed in the first place.
In this context, insurance companies and other companies will, no doubt, argue that it's reasonable for them to conduct what amounts to broad and deep surveillance of their customers in order to detect fraud.
Paragraph 7(3)(d.2) would allow just that. It requires no formal investigation. The disclosure just needs to be reasonable, not even necessary as in the previous formulation in Bill C-12. This provision would open the door to routine sharing of personal data among organizations based on nothing more than the always present risk of fraud. Moreover, there would be no transparency or accountability requirements. It would be a major setback for consumer privacy.
I understand that this amendment was based on the Alberta model, but I looked at the Alberta model, and subsection 20(n) of the Alberta statute is not as permissive as this. It actually limits sharing to certain kinds of organizations.
I urge you to remove these clauses from the bill and stick with the current investigative body regime. I also urge you to adopt the transparency measures that my colleague Dr. Geist recommended.
Thank you very much.
February 19th, 2015 / 12:05 p.m.
Executive Director and General Counsel, Public Interest Advocacy Centre
We are proposing today a hybrid model, one that looks a lot like what was in Bill C-12. In order for it to be two steps, you would have to have a reporting of material breaches of security safeguards, as it was worded in that bill, that affect personal information, as a first step, only to the Privacy Commissioner. Then, as in Alberta, it's better to leave the decision about whether to notify individuals with an impartial third party, the Privacy Commissioner, rather than again leaving it up to the company, which is what this bill.... It places a lot of responsibility on companies, actually. If they make a call badly, it's just preferable to leave it in the hands of an impartial third party.
That would be what we propose, that two-step approach.
February 19th, 2015 / 11:55 a.m.
Executive Director and General Counsel, Public Interest Advocacy Centre
I would disagree. I think that Bill C-12 which was previously there, had made the effort to set a bar for material breach reporting to OPC, which was based on the seriousness of the information lost and the number of people affected. Again, it also threw in this business about systemic problems, which I think is complicating things. That would mean that the number of material breaches reported to the Privacy Commissioner would not be overwhelmingly burdensome because it would be larger breaches affecting people in a serious way.
February 19th, 2015 / 11:45 a.m.
John Lawford Executive Director and General Counsel, Public Interest Advocacy Centre
Thank you very much, Mr. Chair.
Honourable members, my name is John Lawford. I'm the executive director and general counsel of the Public Interest Advocacy Centre, a national non-profit, federally incorporated organization founded in 1976 that provides legal and research services on behalf of consumer interests, and in particular, vulnerable consumer interests.
Due to the time I'm going to be speaking today solely to the breach notification amendments. However, I'll be happy to take questions on other aspects of the bill.
PIAC believes that the goal of an effective data breach notification law is to actually notify individuals of the loss, unauthorized access, or theft of their personal information from an organization whenever it is possible for the individual to take steps to avoid financial, reputational, or other harms, or to minimize these impacts. In our view this goal can be accomplished in a manner that also removes conflicts of interest in reporting breaches; reduces compliance cost and risk for business, in particular small business; generates data for better policy outcomes; engages, improves, and leverages the expertise of the Office of the Privacy Commissioner, OPC, in dealing with breaches; and encourages business and consumers to make investments in data security.
Unfortunately, Bill S-4, as written, will very likely result in fewer reported breaches than even now and operate in an opposite manner. Namely, it will create a culture of fear, recrimination, and non-reporting. Bill S-4, incentivizes not reporting data breaches by leaving the determination of whether a breach creates a real risk of significant harm to an individual totally in the hands of the organization that suffers the breach. This obvious conflict of interest is fatal to the purpose of the bill as there is no advantage to a company to report and every advantage to hide a data breach.
The conflict of interest in having a company assess whether an individual faces a real risk of significant harm from a data breach is one that will be settled in close cases and some more egregious ones by the company concluding there is no such risk. Such an assessment avoids the cost, reputational damage, and inconvenience faced by the company. It also avoids putting the company on the radar of the OPC for an audit or an investigation.
While it's true the company does face prosecution under the amended section 28 of PIPEDA and a possible fine up to $100,000, perhaps even per record, that offence is premised on not reporting a breach knowingly. Any organization that sets up even the most basic process to come to a conclusion that a breach was not a real risk of significant harm would have a very strong defence. This flaw is exacerbated by the bill's requirement to report all breaches regarding a real risk of significant harm simultaneously and relatively instantly to the OPC, whose role is purely observational, to affected individuals and to unspecified third parties who may be able to help. Which individuals to notify will be determined solely by the company involved, which will be dealing with the chaos of several reporting requirements that frankly make little sense as structured. The incentive again will be to keep the reporting to individuals to as few in number as possible. Contrast this with our vision of how Bill S-4 could work.
Step one, replace the initial reporting to all parties on the real risk of serious harm test for the requirement to immediately report material security breaches involving personal information to the OPC only. In Bill C-12 of the previous parliament, in that version, proposed section 10.1, did this very well with one exception. We would recommend removal of the systemic problem assessment, which the bill required and which also led to the disincenting of reporting.
Step two, leave the decision of whether to order—and yes, I said order—a company to report a data breach to individuals to the OPC. The company would have no say in the matter. The OPC would be an impartial third party arbiter of whether a breach was a real risk of significant harm to affected individuals. The OPC would gain experience, expertise, and authority in assessing breaches. The OPC decisions would be made public, meaning Canadians would finally know which companies had breaches, because this is presently not known for all breaches under the voluntary breach notifications referred to and the private conversations that we know the Office of the Privacy Commissioner has with companies.
Finally, the gathering of security failings generates data that could lead to better policy outcomes based on encouraging companies to invest in improved data security.
This approach would also benefit business, especially small business. With the OPC making the individual notification call, the business would be relieved of the compliance costs in hiring consultants to manage its data breach response, as the OPC would specify when, how, and how much notification was required. It would virtually eliminate the risk of civil liability for data breaches. The OPC could provide extensive breach notification guidance and materials to ease the reporting process for business in dealing with the stress of a breach.
This committee could save time and effort in designing step two by essentially copying the relevant section of Alberta's Personal Information Protection Act, namely section 37.1 of that act.
Finally, a rewrite of Bill S-4, as suggested, should encourage both business and consumers to take personal information security and the response to it more seriously. For business, a step-one requirement to report security breaches to the OPC would drive investments to improve systems in order to avoid having to report breaches. For consumers, a step-two notification could be treated as authoritative, serious, and OPC-approved assurance of impartiality, and spur consumers to take action to appropriately deal with breach notification and, finally, to reflect their judgment of the information-handling practices of the business to those businesses.
Thank you very much. I await your questions.
February 19th, 2015 / 11:35 a.m.
Tamir Israel Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
Thank you, Mr. Chair, and committee members.
My name is Tamir Israel, and I'm a staff lawyer with CIPPIC, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, at the University of Ottawa. CIPPIC works to advance the public interest in policy debates that arise at the intersection of law and technology. We're very grateful for this opportunity to provide our input into Bill S-4, the digital privacy act, which will make some important changes to PIPEDA, Canada's federal commercial sector privacy law.
Concern over privacy and lack of trust in organization practices remain an ongoing concern for a number of Canadians. A recent survey commissioned by the Privacy Commissioner found, for example, that over 75% of Canadians have avoided the use of a mobile application because of the information requested, and close to 60% have turned off location tracking functionality on their mobile devices out of concern that others will access the information. These types of statistics are telling, and they show that Canadians remain concerned, and are acting on their concerns, when engaging with digital content.
Even as concerns grow, avoiding privacy-invasive practices becomes increasingly difficult. Every device, from our mobile phone to our car to our television at home, is now a cause of concern for those wishing to maintain a sphere of privacy. The task of keeping up with the multitude of settings and privacy policies on all of these is time-consuming, and increasingly out of reach for many segments of the digital population.
Against this backdrop, Bill S-4 introduces some much-needed improvements to PIPEDA, while at the same time raising some concerns. We're particularly pleased to see the inclusion of compliance agreements and an extended appeal period, as those take some important initial steps towards resolving long-standing problems with PIPEDA's complaint mechanism. We hope that additional changes will be considered at the next statutory review of the bill, which is coming up in the next couple of years. We particularly point to long-standing problems with the lack of proactive compliance incentives as something that we think still needs to be addressed.
With respect to Bill S-4, I'd like to address three parts of the bill very briefly: the new consent requirement, breach notification regime, and some of the information sharing exceptions.
Clause 5 of Bill S-4 will enact proposed section 6.1 of PIPEDA, which seeks to strengthen the consent obligations so that individuals will be aware of the nature, purpose, and consequences of the activities that an organization seeks to carry out with their data. In general, this will mean that where an organization targets or becomes aware that it's dealing with vulnerable individuals such as youths, additional steps to ensure that its privacy practices are understood will have to be taken.
If dealing with young children, it may not be possible at all to make the young children themselves aware of the consequences of their actions, and verifiable parental consent might be required. This is in line with industry practices for minor-specific sites that interact with very young children. There are already legal obligations in some jurisdictions, such as in the United States, under COPPA.
The consent provision will also have a positive impact in other contexts. Strengthening the obligation of organizations to ensure that customers are aware of the nature and consequences of data practices will help individuals make more informed privacy choices in general.
With respect to Bill S-4's breach notification obligation, we're very grateful to see this notification obligation coming into force. It's much delayed and needed. The breach notification obligations have become a standard for 47 states throughout the U.S., and the White House recently announced a federal breach notification bill.
The breach notification regime that Bill S-4 would enact requires that individuals and the Privacy Commissioner be notified where a breach of security safeguards creates a real risk of significant harm. As are my colleagues from the Canadian Bar Association, we're concerned that the standard for notifying the Privacy Commissioner is too high. Additionally our experience has been that it's very useful to have notification directly to the Privacy Commissioner of a majority of breaches for tracking purposes and to generally improve incentives to adopt rigorous technical safeguards.
Even a breach of safeguards that does not lead to the risk of significant harm can be indicative of a general laxity in technical safeguards that should be addressed. We think it's good to have a notification requirement to the Privacy Commissioner that's more comprehensive even where there's no real risk of significant harm to specific individuals.
We're very grateful to see a penalty regime for instances where the breach notification obligations are knowingly ignored. We think that at least over time it would be good to improve this into a more generalized administrative monetary penalty regime. The fines currently in PIPEDA are designed as penalties for very overt offences. An administered monetary penalty regime would be more fitting as it would be focused on securing compliance. That gives businesses more leeway where innocent mistakes are made on the one hand and it may have more teeth where repeat offences are made or where there's a need to secure compliance. I think that would help improve the rigour of this bill, this breach notification regime.
I'll speak briefly to the information sharing elements of the bill. We find a number of these problematic. They raise some potential issues particularly on the private sector side, but we also have some concerns on the public sector side as well. Subclause 6(10) of Bill S-4 replaces the current investigative bodies exception, which permits an exhaustive list of non-governmental regulatory bodies such as the Law Society of Upper Canada to receive information relating to an investigation.
The issue that's intended to be addressed is the difficulties inherent in getting listed as an investigative body. New bodies emerge on occasion, the names of existing bodies change, and each time this happens regulations need to be passed. It's an onerous process. We support addressing that issue.
We're a little concerned that the remedy adopted to address that exception may open the door to unwanted information sharing, particularly in the context of intended lawsuits or where a private company wants to investigate the customer of another company. The provisions adopted in Bill S-4 are an improvement over those in Bill C-12 because they limit the situations in which a company can disclose their customers' information to another company to situations where it can reasonably be expected that if the customer were aware it would compromise the investigation or the impending lawsuit.
However, we're still concerned that this will open the door to customer sharing in a context where the courts have said very specifically that there's a specific process for when you're looking to go after an individual with a potential lawsuit. What you should be doing is filing a statement of claim and going through third party discovery processes, which have built-in safeguards for privacy.
We're concerned that this exception will at the very least give some companies the impression that they will be able to disclose their customers' information. We've had some fairly prominent examples of this in Canada. Some ISPs have been asked, in court so far...because the Federal Court of Appeal has said to date that you cannot disclose your company's information to a potential plaintiff without a court order.
Some of these have gone through the court system and they have even been problematic there. Copyright trolls have asked for the identities of thousands of ISP customers. We've seen other examples where this type of thing could be problematic, so we would appreciate clarification that this exception is not intended to facilitate the types of requests that are to facilitate lawsuits in essence.
We also have some brief concerns relating to proposed section 10.2, which is part of the breach notification regime, which obligates companies who are already disclosing to an individual and to the Privacy Commissioner that a breach of security safeguards has occurred. These companies will also be obligated to notify an open-ended list of companies and government bodies that they believe might assist in the reduction of harm.
In principle, this exception is logical. However, we would like to see some more safeguards in this exception.
Part of the issue is that many agencies that deal with security, particularly in the cyber context, are the same agencies that also conduct investigations on a range of other issues, and security can implicate the private data of several thousand if not tens of thousands of individuals. We're concerned that more information than is necessary may get passed along in these exchanges when they occur.
February 19th, 2015 / 11:30 a.m.
Suzanne Morin Executive Member, National Privacy and Access Law Section, Canadian Bar Association
Thank you, Jean.
I will limit my opening remarks to just two areas regarding the breach notification regime. The first one is thresholds for reporting to the Privacy Commissioner, and then the second area will be record-keeping.
As you may know, unlike its predecessor, Bill C-12, clause 10 of Bill S-4 sets out a single test or threshold for both notifying individuals of a breach and reporting to the Privacy Commissioner. In effect, every breach that is notifiable to an individual will now also be reportable to the OPC, requiring businesses to change their current practices. The objective of reporting to the commissioner in essence is to track the volume and nature of breaches to see if there are any trends and to allow the commissioner to work with organizations, small and medium-sized organizations, who may need assistance.
This objective is very different—very different—from the objective of notifying individuals so that they can mitigate harm that may result from the breach. This distinction is actually very well understood both by industry and by the Privacy Commissioner's office. In fact, industry players have been following for years the guidelines “Key Steps in Responding to Privacy Breaches”, which were jointly issued by the Privacy Commissioner with their B.C. and Alberta counterparts. These guidelines have existed for several years and have been followed by the industry very successfully. While the threshold for notifying individuals should be based on the existence of a real risk of significant harm, which is what Bill S-4 does today, reporting to the OPC should be premised on the existence of a material breach.
Second, regarding record-keeping, we are of the view that the mandatory record-keeping for all breaches of security safeguards regardless of significance is unworkable, extremely impractical, and places too great a burden on all organizations regardless of size or industry, with no commensurate benefit for the protection of Canadians. In fact, this is really our overarching concern when these new record-keeping obligations are considered in light of the new proposed offences which, in our view, strip away the delicate balance in PIPEDA. In no event should a deficiency in logging be an offence.
As currently drafted, and due to the lack of a specific materiality threshold for reporting breaches to the OPC that I just referred to, every single breach of security safeguards, once again regardless of how trivial, must be diligently logged because it will be an offence to do so improperly or imperfectly.
In closing, we should be focusing on those breaches of security safeguards that might have the most impact on Canadians.
Once again, on behalf of my colleague and me, thank you for the opportunity to meet with you here with today, and we welcome your questions.
February 17th, 2015 / 11:35 a.m.
Annick Papillon Québec, QC
Bill S-4 could force private sector organizations to report any losses or breaches of personal information. However, unlike what is set out in Bill C-12, the test proposed for this mandatory reporting is subjective since it enables the organizations themselves to determine, and I quote:
if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
In your view, is that test reasonable?
May 1st, 2014 / 11:45 a.m.
Dr. Éloïse Gratton Partner and Co-Chair, Privacy, McMillan LLP, As an Individual
I will start. Thank you for the invitation.
I'll give the first part of my presentation in French and the second, in English.
I'd like to start by discussing the legal framework governing privacy protection and the response of business. Despite the legislation that exists, the Personal Information Protection and Electronic Documents Act, or PIPEDA, companies and organizations have no real incentive to comply with the act and implement appropriate security measures. What's the worst that could happen from a company's perspective? What are the risks if they don't comply with the act? Not much. The worst case scenario is that their reputation might be tarnished. For example, if a complaint is made, and at the end of the investigation, the commissioner decides to release the company's name, then obviously, the company's reputation might be sullied. That very seldom happens, though.
There is another potential risk. When an individual is notified by the commissioner that the act was in fact breached, that person can take the company to Federal Court for damages. The court has made a few such rulings in the past decade. In five to ten cases, the Federal Court awarded small amounts. In some cases, it awarded no damages, and in others, $5,000.
Last fall, in its ruling on Chitrakar v. Bell TV, the Federal Court awarded $20,000 in damages, and that was a first. Is this the beginning of a new trend? Perhaps. Only time will tell. One thing is for sure: not everyone has the means to take legal action against a company to obtain small amounts in damages. In privacy violation cases, the amounts often range between $5,000 and $10,000. Engaging in a court battle is a complicated and painstaking process.
Furthermore, at the federal level, no incentives exist with respect to class action lawsuits over privacy violations, which have the potential to improve compliance. Incentives do exist in other jurisdictions. And in many cases, companies comply with privacy legislation as a result. Just think of the recent security breaches. Last January, a security breach occurred at Human Resources and Skills Development Canada. In April, a security breach occurred at the Investment Industry Regulatory Organization of Canada, or IIROC. And class action suits were launched in relation to both of those breaches.
In the case of IIROC, a portable drive containing the financial information of 52,000 brokerage firm clients was lost. The damages sought were $1,000 per individual. That has the potential to motivate companies to comply, but under PIPEDA, that isn't an option. The legislation contains no such provision to motivate companies. And even if it did, a class action lawsuit isn't necessarily appealing because authorization to proceed isn't always granted.
In the Quebec case of Larose c. Banque Nationale du Canada, the Superior Court made a ruling in 2010. A typical breach, it involved a lost laptop containing the financial information of many clients. One of the clients was not very happy and took the National Bank to court. At the authorization stage, counsel for the complainant had to show that, as a result of the security breach on the bank's part, actual identity theft had occurred. The court stipulated that the fear of identity theft alone did not entitle someone to compensation. Had there been no evidence of actual identity theft, the court would not have granted authorization for a class action.
That tells you just how high the bar has been set. Proceedings of this nature are not straightforward. And the damages aren't very high. So what's left? If you can't seek compensation because you're afraid you were the victim of identity theft as a result of a security breach, there is little else you can do.
Let's come back to the legislation concerning security measures. Companies are advised to adopt security measures based on the level of sensitivity of the information. Even when companies contract out services to a third party, the legislation says they are still responsible for the information and must ensure its protection through the contract. In reality, what we often see is companies using cloud services or third-party contracts. They contract the service out and then turn a blind eye to what goes on.
I would like you to consider a provision in a piece of Quebec legislation that I see as very useful. It imposes an additional obligation on companies preparing to give or transfer personal information to a third party via a contract. I am referring to section 26 of An Act to Establish a Legal Framework for Information Technology. It reads as follows:
Anyone who places a technology-based document in the custody of a service provider is required to inform the service provider beforehand as to the privacy protection required by the document according to the confidentiality of the information it contains, and as to the persons who are authorized to access the document.
The person who entrusts the function to a service provider and transfers the data to the provider, whether via cloud computing or some other means, has an obligation to tell the service provider how to protect the information in question. I think incorporating a similar provision in our legislation could be useful.
I am active in the protection of privacy and personal information. There is a prevention component to my work. That entails advisory services, compliance, training, policy development and so forth. I am also involved in crisis management. I help with the management of security breaches, provide assistance when complaints are made to privacy commissioners in various jurisdictions and give advice related to privacy class action lawsuits. Clients rarely ask me to do any prevention work for them unless they have had some sort of crisis first. That shows that companies aren't very tuned in to the issue. And yet, the legislation exists. Are they motivated to comply with the act? Not especially, because they wait until a security breach has occurred before taking action. Not until a crisis arises do they realize how costly it can be and that they might do well to invest in prevention.
It's also interesting to see just how many resources are being deployed to compliance and prevention around the coming into force of Canada's new anti-spam legislation. That piece of legislation is being taken seriously. It includes liability provisions that apply to administrators, executives and employers. And since the penalties it sets out are quite stiff, companies take it seriously. Ever since its coming into force was announced, the legislation has monopolized my practice almost full time. Is spam a bigger problem or greater evil than security breaches or identity theft? I doubt it. Why, then, is the situation the way it is? What are we waiting for to motivate companies to invest in prevention?
I have one last point. My second part will be very short.
Some studies show that most security breaches are the result of human error. I am referring to two studies, in particular, that were conducted two years after the requirement to report a security breach was imposed on companies. The first was done by Alberta in 2012-13 and lists all the notifications and security breaches. According to that report, human error was at fault in many of the cases. The second study was done by the Ponemon Institute in 2013 and says that in 33% of cases, employee error was to blame.
That, too, shows that companies aren't taking employee training around privacy protection seriously. Very often, the security breach resulted from a laptop being left in a car. Was the employee aware that behaviour posed a risk? Was a relevant policy in place? Was appropriate training available? The jury is out.
I know time is running. The second part is going to be quick.
I want to raise the fact that currently under PIPEDA we don't have mandatory breach notification, and I believe that this may well play an important role in addressing some of the financial harm that may be triggered in the case of identity theft following a security breach.
If individuals, whether they be consumers, employees, are notified, it will help them to better protect themselves against harm, such as identity theft, because once they're notified they're going to pay special attention to their financial statements every month, every day, tracking down any suspicious or unauthorized transactions. They're going to monitor their credit through credit-rating agencies, such as Equifax and TransUnion. It will also provide businesses with an incentive to establish better data security practices in the first place.
What's the status on mandatory breach notification outside of Canada? We have it in Europe and in the United States. Most of the states in the U.S. have breach notification laws. In Canada, Alberta so far is the only private sector jurisdiction that has this law, and they prescribe fines up to $100,000 for businesses. They have realized that this breach notification obligation in their law has increased the reporting of security breaches, and it has also increased the privacy training. Businesses are more inclined and are more motivated to spend, because they realize that it's going to be an obligation to disclose the breach if there is such a breach.
In Quebec there is a consensus that it is needed. In 2011, la Commission d'accès à l'information du Québec published a report in which they said that this is needed. It's a matter of time. It's in the hands right now of the legislature, but we will have also this obligation in Quebec shortly, hopefully.
At the federal level, we've had various bills that have been introduced: Bill C-29, BillC-12, Bill S-4 recently, and Bill C-475. The latest one is Bill S-4. Will Bill S-4 do the job if it becomes law? It's better than having nothing, that's for sure. Maybe it's not perfect, but it's better than having nothing.
I guess it would create the incentive for businesses to disclose, and I think we need to trigger that incentive. In an ideal situation there should be clear monetary penalties for not reporting security breaches to individuals and to the privacy commissioners. There should be a duty to report a breach as soon as possible. I'm cautious with providing fixed delays, because I've been on the other side. Sometimes there's a breach and you need to do the investigation before you start notifying individuals and privacy commissioners, because you need to know exactly what happened and what needs to be told or not told.
The Privacy Commissioner, I believe, should be given the power to order an organization to report a breach to customers. These orders should be made public and the organization should be named. I think that would create the necessary incentive for them to invest in preventive measures, which would be beneficial to address a financial harm resulting form identity theft.
This is my last point. It would not be a bad idea to have a uniform breach notification law in Canada. Various systems could become problematic when there's a breach. I know that a few years ago, the Uniform Law Conference of Canada drafted a breach notification act. Maybe it could be used as a tool.
Thank you. I think my time is up.
April 1st, 2014 / 12:25 p.m.
The Chair Pat Martin
Your time is pretty much up; there are about 10 seconds left. But I would like to clarify, perhaps, Mr. Jenkin's response.
The PIPEDA act is up for review. It was due to be reviewed about two years ago. It was reviewed once about seven years ago, and the government's response to that review was Bill C-28, which died on the order paper, and Bill C-12, which died on the order paper. So if there was a government response, none of those elements was ever implemented; the act was never amended or changed.
I don't want Mr. Ravignat to think that a review led to amendments to the act. It did not.
Or did you mean something else?
Personal Information Protection and Electronic Documents Act
Private Members' Business
December 5th, 2013 / 6 p.m.
Megan Leslie Halifax, NS
Mr. Speaker, I have a great crowd behind me, because this is a really important bill. There is such a great response. I really want to thank my colleague from Terrebonne—Blainville for working on this important piece of legislation. She deserves congratulations for a lot of reasons. It is a great piece of legislation.
My colleague was elected in 2011. She is proof positive than an individual MP can advocate for constituents, give a caucus important advice in a critic role, represent NDP values in a critic area, and make concrete legislative suggestions to the House. The fact that we have such a good piece of legislation before us speaks volumes about her ability to make a difference here in Parliament.
The former CEO of Google, Eric Schmidt, said that as of 2010, we create more information in just two days than was ever created up to and including 2003. That is an incredible statistic. It is massive. We create about 2,000 years' worth of information every couple of days. That is just one way of measuring how the digital world we live in today is different even compared to just 10 years ago.
Change is happening quickly when it comes to technology, innovation, and information sharing. It is increasingly an issue for Canadians, because in the last 10 years, with the growth of the digital economy, social media, and Internet access, greater amounts of personal data are shared. They are collected, used, and disclosed.
This bill identifies a problem. The problem is that our privacy laws are not built for a digital age when we create and share so much personal information.
PIPEDA was adopted in 2000. I remember it quite well, because I was a law student, starting in 2001, and we talked about what the implications would be for the groups, organizations, and communities we worked with. At that time, there were almost no social networking sites, microblogging sites, or video-sharing sites. Tumblr and YouTube did not exist, and there was no such thing as Facebook. I remember the first time I ever googled something, and it certainly was not a verb at that time.
Now over 18 million Canadians have a Facebook account, including many of us here in the House. A lot of us use this form of social networking. That number of 18 million Canadians is more than half of Canada's population, which is incredible.
Can anyone remember a time when they could not YouTube a viral video or find an old friend on Facebook? It was a completely different world 10 years ago. Now we are light years ahead of where we were in 2000.
What we are talking about here would transform the digital world in Canada. It is the type of change that affects Canadians on a huge scale. As Canadians, we are incredibly connected. We are the second-greatest Internet users in the world. More than 80% of us access the Internet regularly. Approximately 70% of us think that our personal data is less secure and less protected than it was 10 years ago, and 97% of Canadians would like to know when their personal information has been exposed because of a data breach.
It is worth noting these statistics, because most Canadians agree with the goals of this bill. It is absolutely unthinkable that we would expose so many Canadians to risks to their online privacy, especially when many people are aware of and concerned about these risks.
We need to update our privacy laws to recognize these changes and keep up with them; otherwise, we risk leaving Canadians unprotected. Canadians have moved on from 2001. It is time that our privacy protection laws moved on as well.
I would like to stress the importance of taking advantage of the opportunity this bill presents. We know that the Conservatives presented a privacy bill, Bill C-12, that came out of the 2006-2007 review of PIPEDA. However, it has been languishing on the order paper since 2011. That is far too long. Not one but two PIPEDA reviews are overdue.
We need privacy protection for the 21st century, but we also need it in the 21st century. Bill C-475 responds to these pressing challenges for protecting our privacy in a new digital age.
In a May 2013 review of PIPEDA, the Office of the Privacy Commissioner of Canada identified pressure points where PIPEDA needed to be changed. The first two of these pressure points, and arguably the most important ones, are addressed in Bill C-475.
The first pressure point identified in the report was enforcement. The report points to the fact that under PIPEDA the Privacy Commissioner is limited to the role of an administrative investigator, and that while she may seek resolution through negotiation, persuasion, and mediation, she actually has no enforcement powers.
The report says:
The days of soft recommendations with few consequences for non-compliance are no longer effective in a rapidly changing environment where privacy risks are on the rise. It is time to put in place financial incentives to ensure that organizations accept greater responsibility for putting appropriate protections in place from the start, and sanctions in the event that they do not. Without such measures, the Privacy Commissioner will have limited ability to ensure that organizations are appropriately protecting personal information in the age of Big Data.
Bill C-475 answers this recommendation in giving enforcement powers to the Privacy Commissioner to order organizations to comply with privacy legislation and to fine them if they refuse to take action within an established time period.
The second pressure point in the Privacy Commissioner's report was to “shine a light on privacy breaches”. It recommended that PIPEDA should:
require organizations to report breaches of personal information to the Commissioner and to notify affected individuals, where warranted, so that appropriate mitigation measures can be taken in a timely manner.
This is really common sense. First of all, we want to know when our personal information has been put at risk. As I said before, 97% of Canadians agree that they want to know when there has been a breach in their privacy. The harm that comes from these breaches can include identity theft, financial loss, negative credit ratings, and even physical harm. We should be aware that we have been exposed to a higher level of these risks when our privacy has been breached.
I will wrap up by saying that the Privacy Commissioner stressed that too often the rights of individuals are displaced by organizations' business needs and that it is becoming increasingly clear that the balance between these rights and needs is no longer there.
I would like the House to know that New Democrats are not stuck in the past. We recognize the imbalance, and with the bill we will take the first steps to make sure to protect the interests of businesses and consumers in the new digital age.