Bill C-12 (Historical)

I'll talk a little slower.

The growing importance and benefits of social media to Canadians cannot be understated. These are far-reaching and permeate every aspect of our individual, social, and political lives. The innovative and commercial growth of such networks should not be unduly restricted. At the same time, Canadians should not be forced to choose between their privacy rights and their right to participate in this new interactive world.

PIPEDA, which forms the backbone of privacy regulation in Canada, provides a flexible set of principles that cater to the legitimate needs of businesses while providing safeguards for user privacy. While PIPEDA has largely withstood the test of time, the privacy landscape has changed substantially since its enactment, and a decade of experience has exposed a number of shortcomings that should be addressed if the statute is to continue to meet its objectives.

I will quickly say a few words about the shifting privacy landscape and proceed to elaborate on four areas that I think need immediate attention.

In recent testimony before this committee, Professor Valerie Steeves pointed to research indicating growing lack of trust in online companies. A survey conducted for Natural Resources Canada in late 2009 similarly found that respondents' level of trust in different types of organizations to keep their personal information secure is moderate to low. The least trusted were small private sector businesses and social networking sites.

The study similarly found that the ability to control the context in which information is shared increased levels of trust. In another study conducted by researchers at Annenberg and Berkeley, 67% of Americans agreed or strongly agreed that users have lost all control over how personal information is collected and used by companies.

Feeding this sense of lost control is an increasingly complex ecosystem where the scope and nature of data collected increases daily, even as the sophistication of information collection and analysis mechanisms keeps pace. While Google and Facebook have been at the forefront of debates on these issues, numerous other companies are involved. Acxiom, a data broker based in Arkansas, has reportedly collected an average of 1,500 data points on each of its 500 million active user profiles.

Few of these users have heard of Acxiom, let alone had any direct interaction with the company. Yet the profiles, which data brokers such as Acxiom sell, are populated with their browsing habits; the Facebook discussions they have with their friends and family; their sensitive medical and financial information; their ethnic, religious, and political alignments; and even real-world locations visited. All this data is collected, analyzed, and refined into a sophisticated socio-economic categorization scheme, which Acxiom's customers use as the basis of decision-making.

The sheer complexity of the ecosystem that fuels databases such as Acxiom's defies any attempt to articulate within the confines of a privacy policy. A number of jurisdictions are looking at ways of addressing the need for greater transparency and choice. I will briefly focus on four here that I think are relevant specifically to PIPEDA. I'll point out as well that the nature of the data being collected in this ecosystem is also increasing in sensitivity. Newly emerging capacities are aiming to incorporate real-time location and even emotional state into the categories of information that are available for targeting. I'll touch on four changes I think we should focus on. The first is transparency.

Greater transparency is needed. To this end, the United States Federal Trade Commission has recently stated it will push data brokers to provide centralized online mechanisms that will help users discover which data brokers have collected their data. This can serve as the basis for the exercise of other user rights.

Informing users can be achieved in a number of contexts through greater integration of notification into the service itself. This not only allows for greater flexibility and nuance in notification, but also increases privacy salience by reminding users in context of the privacy decisions they are making. In addition, elements of privacy policies can be standardized, but care must be taken not to oversimplify data practices that are in reality complex. The dangers of oversimplification are that organizations will begin to rely on blanket and categorical consent, which are simple but do not provide customers or advocacy groups the details they need to properly assess their practices.

Another area I'd like to touch on is privacy by default or privacy by effort, which is an analog to that.

Transparency alone is not enough to protect privacy in this interconnected age we are in. In a recent consultation process on online privacy, it was noted that many online services are public by default and privacy by effort. New users will rarely know how to configure the complex web of the often conflicting privacy control services that are offered when first signing on. Settings constantly shift and change, as new ones are introduced and old ones replaced, or when new features are added to existing services. Simply maintaining a constant level of privacy is a never-ending effort.

Compounding such efforts is a tendency for social networking sites to make occasional tectonic shifts in the constitution and nature of their services. These are often imposed on ingrained users as “take it or leave it” propositions. At other times, pre-selected defaults are used to nudge users in directions that are very different from the service they have grown accustomed to.

As you've heard from other experts, the devil is indeed in the defaults. Stronger protections are needed to ensure new services and settings are introduced with privacy-friendly defaults that reflect the expectations of users and the sensitivity of the data in question, not whatever configuration is best fitted to the service provider's business model.

Under PIPEDA, the form of consent should already be tailored to user expectations and the sensitivity of the data that might be affected. However, in order to firmly ingrain this concept in service design, privacy by default should be explicitly adopted as a principle under PIPEDA.

Another area I want to touch on briefly is enforcement and process.

The committee has heard from a number of parties about the importance of ensuring that the Office of the Privacy Commissioner can enforce its powers. Adding bite to PIPEDA is critical for a number of reasons. First, it is necessary in order to provide incentives for compliance. Currently there are very few penalties for non-compliance. In most cases the most an organization can expect is the threat of being publicly shamed for non-compliance. Second, having these powers in place will assist the Office of the Privacy Commissioner in its interactions with large multinational organizations so it can carry out its mandate in protecting the privacy of Canadians.

In addition to adding penalties, procedural changes to the OPC's investigative and compliance framework should be explored. Compliance with OPC recommendations in a social networking context may be a long and complicated road, requiring changes to system design. However, under PIPEDA the OPC's legal mandate to exercise its powers over a particular complaint ends 45 days following the issuance of an official finding. The mechanism lacks the flexibility necessary to ensure Privacy Commissioner recommendations are carried out adequately.

Finally, I'll touch briefly on breach notification requirements.

Canada is in dire need of a breach notification obligation. Such an obligation will improve incentives to build stronger technical safeguards and provide users with opportunities to redress harm, such as identity theft and the potential humiliation that may result from a breach of their data.

Bill C-12, which is currently in first reading, provides a workable framework for breach notification, but it requires fixes and a commitment to introduce penalties for non-compliance if it is to be effective.

I would be happy to elaborate further on any of these points. CIPPIC plans to file a more detailed brief with the committee at a later point.

Thank you very much for your time and attention.

Thank you, Mr. Chair.

I would like to use my 10 minutes to share the opinion of someone who is not quite an expert on privacy issues. For some 20 years now, I have been interested in the relationship between the law and technology. It is from that perspective that I would like to expand on three points. Very often, I discuss those points to deal with the complexity that characterizes new technology. Those three points are very simple: who, what and how.

Let's begin with the “who”. Who should take action when it comes to those issues? I would like to begin with the first instinct we have—that of thinking that the legislator should act in such matters. I would nevertheless like to repeat the opinion of an old civil lawyer who said that legislating should be done carefully. This means that, in such a new field—which is so poorly controlled—adopting a piece of legislation very quickly is often a factor that prevents our habits from developing.

Therefore, I think that, in terms of legislation, we should be careful. We should take a step back and focus more on establishing a strictly minimalist approach in legislation, without developing, in my opinion, any new concepts. We have seen such concepts in Europe—including the “right to forget”, which was developed in a number of European pieces of legislation and seems to me overly difficult to apply.

Conversely, even if the goal is to limit the legislator's role, it does not mean that nothing should be done. There are some possibilities when it comes to privacy management as far as organization goes. I think that the options established in Bill C-12 are very interesting, especially with regard to providing the Office of the Privacy Commissioner of Canada with a bit more power.

This means that my second stakeholder in terms of privacy is the Office of the Privacy Commissioner. Let's compare what we do here with what is done elsewhere, in all of western democracies or, at least, in Europe. If we compare ourselves with countries such as Germany, Sweden or France, we realize that the office has fairly limited prerogative powers. Overall, the resources and the number of people who work within the Office of the Privacy Commissioner are, in Canada, half of those in Europe. I feel there could be some more resources to help develop habits. That's something I will talk to you about later. So it's a matter of informal standards in terms of privacy management.

As for the third stakeholder that would be likely to act in privacy matters, I have in mind organizations themselves—in other words, companies and public organizations that manage data. Pursuant to a point I will develop later on, I feel that those organizations are becoming increasingly accountable when it comes to the way they must manage personal information. The notion of accountability is hard to render in French. It has developed in all international fora—increasingly so over the past few years, or since 2004-2005. The notion of accountability is a concept that, in my opinion, should be promoted in this committee's projects.

So there you have the “who”, and that's what I had to say about the stakeholders who should be involved in those issues.

Let's now talk about the “what”. I would like to use a single sentence to summarize my thoughts on this: I fear the shade much more than the light. What do I mean by that? There are many fantasies and fears when it comes to social media. There are of course some genuine fears. My opinions differ from those of my colleagues, but there are some real fears. There are also some imaginary fears. In some respects, what I can put on a Facebook page does not frighten me at all. I encourage my three children to use Facebook, but I am sorry to say that they don't want to.

However, it's quite possible to use Facebook without privacy being affected. If schools and the Office of the Privacy Commissioner educate us, we should be able to manage that. I am referring to Twitter. Two days ago, the office posted a cartoon on Twitter to explain how people should manage privacy. That kind of a solution is not of a strictly legal nature. Law is not the only possibility in life; there are other solutions that can help change Facebook or Google users' behaviour.

In many ways, I have no fear of how Facebook may use information. I am also not worried about Google Street View, and that is something I would like to discuss. I am bringing this up because the Office of the Privacy Commissioner has made some recommendations against Google Street View. However, Google Street View is not dangerous. I have no problem with being seen in front of my home taking out the garbage. This is one example of imagined fears that are sometimes associated with social media.

That being said, there are nevertheless real problems and fears. We must keep an eye on new behaviours, and I agree with my colleagues when it comes to that. What scares me more is when the objective is changed, the reason why information was placed on Facebook or Google. In many respects, those changes of objective are made through a contract no one reads. An average social media user would have to spend 20 hours a month to read the privacy policies that apply to Google and all the websites they visit. That is unfeasible. Saying that protection goes through information and consent is an illusion. As Professor Kerr mentioned, that is a totally inapplicable legal tool.

As my colleague was saying, there are some cases where consent should not be given. For instance, some law firms—in Quebec and the rest of Canada—ask their students for their Facebook account to see who they are in real life. Such cases go against the law, and a judge could consider them to be a violation of the law. In fact, it may be useful to explicitly state that in a piece of legislation.

I have covered the “what”, but I will now talk about the “how”. I would like to come back to the notion of accountability, which is becoming increasingly developed. According to that notion, organizations must establish policies that will make it possible to objectify, if I may put it that way, their diligence in managing personal information. Forcing Facebook, Google or any other public sector company or organization to show everyone how they manage data internally would be a way to check how diligent they are. That notion is fundamental and very useful. It is actually the basis of an agreement concluded last November between the Federal Trade Commission, in the U.S., and Facebook, whereby the latter committed to open its books and show its management of data over a 20-year period. The future lies in the notion of accountability.

Once again, we have to be careful. This is coming from a technology expert who goes beyond the notion of privacy. There have been some rather unfortunate cases, especially in the area of securities. In 2002, several financial scandals erupted in the United States. To remedy that situation, all companies listed on the stock exchange were asked to open their books and produce internal reports to show how they were managing financial information. Many U.S. authors showed that large quantities of documents had been produced and financed by accounting firms, some of which were at the source of the financial scandals. Some $60 billion or $70 billion later, they ended up with a magnificent documentation that, in the end, is sometimes difficult to apply.

That is why this notion of accountability should not be introduced through a piece of legislation, but rather through informal practice standards, through codes of conduct. With a more negotiated approach, there would be no law imposing things within a generally quite short time frame, and the situation would be conducive to dialogue for establishing practice standards. Informal standards and codes of conduct are often criticized because they are not restrictive enough. When I compare our privacy system with the European one—with fairly substantial resources for monitoring the strict application of the legislation—it seems to me that a more in-between approach, a more negotiated approach, could have better results.

Thank you.

Thank you very much for that question.

I think there's one way that we can do it. I'll refer you to a paper that we released this past summer—I'm trying to remember the name of it—“Privacy by Design in Law, Policy and Practice”. The idea for the paper came from Commissioner Pamela Jones Harbour, who is a former commissioner with the Federal Trade Commission. When she was talking to me about privacy by design, she said we could impose it as a requirement, a condition, in our consent decrees, in decisions that the FTC issues upon completion of an investigation, and we could include it as something on a go-forward basis that a company would have to follow proactively from that point on.

Justice La Forest kindly reviewed the paper that I just mentioned, which you can find on our website, and he said that privacy by design is an excellent idea that should be incorporated into administrative means of law addressing privacy on a go-forward basis.

One way we could do it—I know that Bill C-12 is looking at changes to PIPEDA—would be to have some way of saying that on a go-forward basis, at the conclusion of an investigation, a company would be required to follow privacy by design in any particular area that was problematic.

The other thing about privacy by design is that it's not a punishment. We always say privacy is good for business. There should be a privacy payoff to businesses that follow good privacy practices. Consumer confidence and trust are being eroded very quickly in this day and age, and you can strengthen that on the part of your customers. It is not something that is in fact a stick. It is both a carrot and an inducement to introduce privacy protections in a way that ultimately will save the company resources, because they'll be able to avoid privacy infractions and privacy investigations, and potentially, class-action lawsuits that are coming out.

There's so much happening on the privacy front that when we talk to companies about privacy by design we do it because they invite us to tell them how to do it. They want to do it, not only for the right reasons but for business-related benefits as well.

I think there is a way forward by imbedding it into new regulatory structures.

Thank you very much.

Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I was a member of the national Task Force on Spam, and I currently serve on the Privacy Commissioner of Canada's expert advisory committee, but I appear before this committee today in a personal capacity representing only my own views.

My opening comments will identify several areas for potential government action, but I want to provide a bit of context with three key caveats.

First, which I think may be stating the obvious, is that social media is an enormously important and positive development. The number of users is staggering and its role as a key source for communication, community, and political activity grows by the day. The opportunities presented by social media should be embraced, not demonized, in my view, and government should be actively working to ensure that it incorporates social media into its policy consultation processes.

Second, Canada has played a leadership role, to a certain extent, in the use and regulation of social media. The Privacy Commissioner of Canada was the first to conduct a major privacy investigation into Facebook and has led on other issues with respect to social media and Internet companies.

Third, while we have had some influence through those investigations, Canada has not led in creating the social media services used by millions around the world. I believe that the failure to articulate and implement a national digital economy strategy comes back to haunt us in these circumstances, where the ability to place an unmistakable Canadian stamp on social media is undermined by the policy failures that have done little to encourage the development of Canadian e-commerce and social media.

With those caveats, what is there to be done? I'd like to focus on four areas of interest.

First, I think we need to finish what we've started.

The government has introduced and even passed legislation that can be helpful in addressing some of the concerns that arise from social media, yet these initiatives have stalled short of the finish line. Anti-spam legislation, for example, received royal assent in 2010, yet has still not taken effect as final regulations have not been approved. In fact, Industry Canada officials now indicate that it could be well into 2013 before the regulations take effect. Given the amount of work that went into this legislation, I find it shocking that it has been left in limbo.

Moreover, Bill C-12, the PIPEDA reform bill that seeks changes arising from the 2006 privacy review continues to lag in the House of Commons, with there frankly seeming to be no interest in moving forward with the bill. Indeed, I'd argue that the bill is even now outdated, and a full PIPEDA review to address emerging concerns such as order-making power—as you just heard—and damages, and tougher security breach requirements than those found in the bill is needed. In fact, the Bill C-12 security breach reporting rules are primarily bark with little bite, given the absence of penalties for failure to comply.

Successive governments have promised a digital economy strategy for years and have failed to deliver. The strategy has come to be known as the “Penske file”, a reference to the Seinfeld episode that involves working on an imaginary file. While other countries are now years into implementing their strategies, in Canada we still lag behind.

I think it also should be noted that these issues must increasingly be addressed in concert with the provinces. The line between federal and provincial jurisdiction on many of these issues is blurry, and legal challenges against federal legislation is a real possibility. Work is needed to begin to develop minimum standards that can be implemented at the provincial level, should federal leadership be challenged in the courts by companies seeking to circumvent their privacy obligations.

Second, the devil is in the defaults. In many respects, social media and Internet companies are the most powerful decision-makers when it comes to privacy choices. As my colleague Professor Ian Kerr says, the devil is in the defaults. In other words, the choices made by leading social media companies with respect to default privacy settings are the de facto privacy choice for millions of users. Given the increasing pressure to generate revenues, we can expect that those default choices are going to change in more aggressive ways to make use of user data.

There are examples of companies that are doing good work in this area. Twitter recently implemented do-not-track options that won plaudits from the Federal Trade Commission in the United States. Google offers its users transparency tools so they can obtain detailed information about what information is collected, some of the ways Google uses it, and how they can modify some of their privacy choices. The company has also been transparent about law enforcement requests for information and copyright takedown demands.

There needs to be continued work on these defaults, as well as initiatives to provide users with greater information and transparency, and steps to ensure that companies live by their privacy commitments.

Third is the issue of lawful access. The introduction of Bill C-30 brought with it an avalanche of public outrage and concern over proposed Internet surveillance legislation. While much of the focus was on mandatory warrantless disclosure of subscriber information by telecom service providers, the potential for social media and big data Internet sites to serve much the same purpose cannot be overlooked.

A recent investigation by the Privacy Commissioner of Canada into Nexopia, a Canadian social network, identified hundreds of law-enforcement requests for customer name and address information, frequently for accounts that should have been deleted months earlier. Social media, as we've heard, generates a treasure trove of personal information that must enjoy full privacy protection and court oversight before disclosure. Indeed, documents that I recently obtained under access to information indicate that Public Safety is thinking about how these rules are applied to social media sites and services. I believe that Bill C-30 needs to go back to the drawing board to effectively account for these privacy concerns.

Fourth is the question of new legal issues, which Professor Scassa has identified a number of. I would argue that while much can be done to use or augment existing rules, social media and Internet sites do raise some unique issues that may require targeted responses. In the interest of time I would like to quickly identify two.

First is the issue of “do not track”. As you may know, cookies can be used to trace the web-browsing habits of users, including when they visit third-party sites. For example, Facebook inserts a cookie on user browsers that traces your activity as you surf the Internet. Any site with nothing more than a Facebook “like” button, as found on Conservative, NDP, and Liberal websites, means that Facebook records a visit to that site and retains that information for months. A growing number of sites, including Yahoo, AOL, and Twitter, respect the functionality found in Firefox browsers that allows users to choose not to be tracked. Google has said it will implement similar technology in its Chrome browser.

However, many sites have been slow to adopt the do not track option, and Facebook has thus far declined to do so. Given the failure of the industry to self-regulate, it is appropriate for government to step in with stronger measures to ensure that this form of user choice is implemented and respected.

Second is the growing problem of social media misuse. For example, in recent months there has been an increasing number of stories of employers requiring employees to provide their Facebook user ID and password as a condition of a job interview. Seeking the same information with direct questions would typically be prohibited, so this is used to circumvent long-standing standards and principles within employment law. In response, the State of Maryland recently passed a law banning employers from requiring employees or job applicants to provide access to their personal digital and social media accounts. Several other states in the United States are working on similar legislation, and I believe that Canada should follow suit.

Thanks very much for your attention.

I think the question gets back to digital literacy, and I would agree that it's very hard for consumers to sift through the plethora of information that's probably available on various Internet applications. I think the issue of digital literacy is one that will come back over and over again. Placing requirements on organizations to communicate in a way that is clear and understandable to the target audience is key, and again, something that we hope to see brought into force with the passage of Bill C-12.

Thank you for the question. I do think you raise a very important point. Digital literacy has been an issue that has been raised over and over again in the context of having people understand what their privacy risks are online. I do think digital literacy needs to be a priority. Awareness is an important element. It's important, as the commissioner pointed out, because schoolchildren are coming online sooner and sooner. For them to understand the potential risks they face when they put their information online is key.

Again, I mentioned to you briefly that one of the amendments in Bill C-12 will impose a new obligation, or a clearer obligation, on organizations to target their messaging at their target audience. When you're talking about children, or frankly, the average Internet user, it's important they're aware that there are measures they can take to further protect their privacy online.

I think the commissioner was pointing to the fact that Canada is one of the few remaining countries that do not have mandatory data breach reporting requirements. Therefore, as I indicated, it is important for Canada to catch up and pass the amendments in Bill C-12 that are currently before the House.

In terms of going forward, the commissioner made reference to the overall compliance powers under the act and suggested that the second parliamentary review would be a good opportunity to take a second look at that. Perhaps that's something parliamentarians would like to do.

Thank you, Chair.

I'd like to introduce my colleagues who are with me today: Bruce Wallace, director of security and privacy policy, and Jill Paterson, a policy analyst with our digital policy branch.

Your committee has chosen to study a very important and timely issue. The protection of personal information online is a prerequisite for a strong global digital economy. I am here today to provide some background on the federal legislation that protects the privacy of Canadians in commercial transactions, online and elsewhere, the Personal Information Protection and Electronic Documents Act or PIPEDA.

Since it was implemented, PIPEDA has provided a solid foundation for the protection of privacy online. Canada's federal private sector privacy law is regarded around the world as a model for other countries to follow when seeking ways to protect the privacy of individuals. Much of its strength comes from the manner in which PIPEDA addresses privacy in a technologically neutral way, using a flexible, principle-based approach.

PIPEDA deals with two distinct issues. Part 1 sets out the privacy protection obligations under the act. Parts 2 to 5 deal more with electronic documents than with privacy, and as such are not relevant to your current study.

Part 1 of PIPEDA sets the rules for the private sector in protecting personal information used in the course of business. It establishes clear ground rules that govern the collection, use and disclosure of personal information.

The act balances two central considerations: the need to protect the privacy of individuals, and the need of organizations to collect, use, or disclose personal information in the course of commercial activities. Striking this balance is particularly relevant in the online environment, where large amounts of information can be rapidly collected and stored, and financial transactions can be completed in just a few seconds.

There are some key features of the act I'd like to touch on today.

First, the act applies only to personal information that's used for commercial purposes. It applies to personal information in all formats—electronic and non-electronic. The act applies across the economy as a whole, not just to individual sectors.

Second, the law is based on a set of principles taken from the Canadian Standards Association's Model Code for the Protection of Personal Information. The code was developed by the private sector and consumer representatives and was adopted well before the act came into force. The code is a set of 10 core privacy principles, which were incorporated into schedule 1 of the act.

I'd like to draw your attention to the most central principle, which is the need for consent. Privacy legislation in Canada, and in many other countries, is founded on the principle of consent, whether that be expressed or implied, to collect, use, and disclose personal information.

The act also requires that any collection, use, or disclosure of personal information by an organization should be considered by a reasonable person to be appropriate in the circumstances. This is an overarching test that applies to all provisions of the act. This requirement brings a significant degree of flexibility to the legislation, allowing PIPEDA to remain applicable while social norms, behaviours, and expectations change over time and in different situations, both online and offline.

PIPEDA first came into force in 2001, before the onset of online services and activities—such as Twitter, YouTube, Google, and Facebook—which today we take for granted. Yet as the Internet has evolved, and as new services have been introduced, the legislation has proven to be an effective tool. Its flexibility, resulting from its technology-neutral and principles-based approach, has enabled Canada's Privacy Commissioner to address the challenges that have arisen online, including in social media environments. She has enforced privacy provisions on an international scale against some of the world's largest online service providers, including Google and Facebook.

For example, following an investigation by the commissioner, Facebook took corrective action to bring practices in line with obligations under PIPEDA. Facebook agreed to provide information to help users better understand how their personal information will be used so that they can make more informed decisions about how widely to share that information.

Overall, the legislation continues to provide a robust framework on which to find a balance between business practices and protecting the privacy of Canadians. However, technological innovation, combined with continual changes to individuals' online practices, highlight the importance of reviewing PIPEDA to ensure that it can appropriately address emerging challenges.

In particular, the development of applications for individuals to share information about themselves—a key aspect of what is known as "Web 2.0"—is changing online behaviour. Much personal information is volunteered by individuals themselves. And despite being active participants in the flow of personal information, many users may not fully understand the way their information is used, or the associated privacy risks.

Research indicates that social media users may not anticipate how broadly accessible information they post will be. In addition, the use of "cookies" and other online tracking tools is pervasive, and yet largely invisible to the average Internet user. The potential exists for personal information to be aggregated and used in ways which the individual may never have even imagined and with which they may disagree.

There are complex issues involved in the development of policy frameworks to maintain privacy protection in this environment. Canada is one of many jurisdictions currently grappling with this. The OECD, for example, is currently conducting a review of its privacy guidelines, which were the first internationally agreed-upon set of principles and which influenced the development of the CSA model code, upon which PIPEDA is based.

Likewise, a good piece of legislation like PIPEDA can be made even better with regular review to ensure that it keeps pace with advancing technology and evolving business models.

Bill C-12, the Safeguarding Canadians Personal Information Act, will update PIPEDA in a number of important ways. The bill, which is awaiting second reading in the House of Commons, is the result of the first review of the act, which was undertaken by your predecessors on this committee in 2006-2007. At that time the committee concluded that no major changes to the act were needed; however, they did make a number of recommendations aimed at improving some elements, notably the need for mandatory data breach reporting requirements.

Following the committee's report, Industry Canada conducted extensive consultations, leading to the government response, which indicated that several amendments to PIPEDA would be made to address the committee's recommendations. These amendments were first tabled in May 2010, but subsequently died on the order paper. The amendments were later reintroduced as Bill C-12, which was tabled in September of 2011.

Significantly, Bill C-12 will create a powerful tool to protect and empower consumers online. The bill establishes a framework under which businesses must notify customers when their personal information has been lost or stolen. Canada's Privacy Commissioner has long called for a legislative approach to data breach notification. In 2007, her office published voluntary breach notification guidelines, but she has expressed concern that not all businesses are reporting data breaches, nor have all organizations taken appropriate security precautions to protect their holdings of personal information.

Bill C-12 requires organizations to notify individuals in cases where a breach poses a real risk of significant harm, such as identity theft or fraud or damage to reputation. The Privacy Commissioner will also be informed of any material breach, thus allowing her to exercise oversight of compliance with the new requirements. Consistent with her current compliance powers, the Commissioner will be able to publicly name organizations that fail to meet their obligations if she feels this is in the public interest. This is a powerful inducement for organizations to act in good faith. In fact, we have seen this power compel change in the practices of well-known social media companies such as Facebook and Google. Several high-profile data breaches in the past several years, such as those experienced by Sony and the large e-mail marketing firm Epsilon, have underscored the need to pass this bill and its new notification requirements quickly.

The bill also includes enhancements to the consent provisions designed to protect the privacy of minors online. Research shows that children may not have the capacity to understand the consequences of sharing personal information. Not all marketing activity directed at children is inappropriate; however, some online services surreptitiously collect personal information about children in an environment that is often designed to look like playgrounds or educational websites. Therefore, Bill C-12 requires organizations to make a reasonable effort when collecting the personal information of minors to clearly communicate why it is being collected in a way that would be understood by the target audience.

We believe these changes are an important step towards ensuring that our privacy legislation continues to protect Canadians.

Thank you for the opportunity to come before the committee today. My colleagues and I would be happy to take your questions.

Yes, honourable member. I think the changes that Bill C-12 would bring are very welcome, but I don't think they go far enough. We're now halfway through 2012, and as I mentioned in my presentation, Canadian privacy legislation has lagged behind the reforms in other major countries, and so there isn't much incentive for corporations to invest in the kind of software or personnel training that makes Canadians' data safer. So I think basically the bill could be strengthened.