Digital Privacy Act

An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act

This bill was last introduced in the 41st Parliament, 2nd Session, which ended in August 2015.


This bill has received Royal Assent and is now law.


This is from the published bill. The Library of Parliament often publishes better independent summaries.

This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things,
(a) specify the elements of valid consent for the collection, use or disclosure of personal information;
(b) permit the disclosure of personal information without the knowledge or consent of an individual for the purposes of
(i) identifying an injured, ill or deceased individual and communicating with their next of kin,
(ii) preventing, detecting or suppressing fraud, or
(iii) protecting victims of financial abuse;
(c) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of an individual, personal information
(i) contained in witness statements related to insurance claims, or
(ii) produced by the individual in the course of their employment, business or profession;
(d) permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions;
(e) permit federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual;
(f) require organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner;
(g) require organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control;
(h) create offences in relation to the contravention of certain obligations respecting breaches of security safeguards;
(i) extend the period within which a complainant may apply to the Federal Court for a hearing on matters related to their complaint;
(j) provide that the Privacy Commissioner may, in certain circumstances, enter into a compliance agreement with an organization to ensure compliance with Part 1 of the Act; and
(k) modify the information that the Privacy Commissioner may make public if he or she considers that it is in the public interest to do so.


All sorts of information on this bill is available at LEGISinfo, an excellent resource from the Library of Parliament. You can also read the full text of the bill.


June 18, 2015 Passed That the Bill be now read a third time and do pass.
June 18, 2015 Failed That the motion be amended by deleting all the words after the word “That” and substituting the following: “this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it: ( a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected; ( b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies; ( c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances; ( d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and ( e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”.
June 2, 2015 Passed That Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, as amended, be concurred in at report stage and read a second time.
June 2, 2015 Failed
June 2, 2015 Failed
May 28, 2015 Passed That, in relation to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, not more than one further sitting day shall be allotted to consideration at the report stage and second reading stage of the Bill and one sitting day shall be allotted to consideration at the third reading stage of the Bill; and That, 15 minutes before the expiry of the time provided for Government Orders on the day allotted to the consideration at the report stage and second reading stage of the said Bill and on the day allotted to consideration at the third reading stage of the said Bill, any proceedings before the House shall be interrupted, if required for the purpose of this Order, and, in turn, every question necessary for the disposal of the stage of the Bill then under consideration shall be put forthwith and successively, without further debate or amendment.

January 29th, 2019 / 3:45 p.m.
See context

Canada Research Chair in Internet and E-Commerce Law, Faculty of Law, University of Ottawa, As an Individual

Dr. Michael Geist

Good afternoon, everybody. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in internet and e-commerce law and am a member of the Centre for Law, Technology and Society.

My areas of speciality include digital policy, intellectual property and privacy. I served for many years on the Privacy Commissioner of Canada's external advisory board. I have been privileged to appear many times before committees on privacy issues, including on PIPEDA, Bill S-4, Bill C-13, the Privacy Act and this committee's review of social and media privacy. I'm also chair of Waterfront Toronto's digital strategy advisory panel, which is actively engaged in the smart city process in Toronto involving Sidewalk Labs. As always, I appear in a personal capacity as an independent academic representing only my own views.

This committee's study on government services and privacy provides an exceptional opportunity to tackle many of the challenges surrounding government services, privacy and technology today. Indeed, I believe what makes this issue so compelling is that it represents a confluence of public sector privacy law, private sector privacy law, data governance and emerging technologies. The Sidewalk Labs issue is a case in point. While it's not about federal government services—it's obviously a municipal project—the debates are fundamentally about the role of the private sector in the delivery of government services, the collection of public data and the oversight or engagement of governments at all levels. For example, the applicable law of that project remains still somewhat uncertain. Is it PIPEDA? Is it the provincial privacy law? Is it both? How do we grapple with some of these new challenges when even determining the applicable law is not a straightforward issue?

My core message today is that looking at government services and privacy requires more than just a narrow examination of what the federal government is doing to deliver the services, assessing the privacy implications and then identifying what rules or regulations could be amended or introduced to better facilitate services that both meet the needs of Canadians and provide them with the privacy and security safeguards they rightly expect.

I believe the government services really of tomorrow will engage a far more complex ecosystem that involves not just the conventional questions of the suitability of the Privacy Act in the digital age. Rather, given the overlap between public and private, between federal, provincial and municipal, and between domestic and foreign, we need a more holistic assessment that recognizes that service delivery in the digital age necessarily implicates more than just one law. These services will involve questions about sharing information across government or governments, the location of data storage, transfer of information across borders, and the use of information by governments and the private sector for data analytics, artificial intelligence and other uses.

In other words, we're talking about the Privacy Act, PIPEDA, trade agreements that feature data localization and data transfer rules, the GDPR, international treaties such as the forthcoming work at the WTO on e-commerce, community data trusts, open government policies, Crown copyright, private sector standards and emerging technologies. It's a complex, challenging and exciting space.

I would be happy to touch on many of those issues during questions, but in the interest of time I will do a slightly deeper dive into the Privacy Act. As this committee knows, that is the foundational statute for government collection and use of personal information. Multiple studies and successive federal privacy commissioners have tried to sound the alarm on the legislation that is viewed as outdated and inadequate. Canadians understandably expect that the privacy rules that govern the collection, use and disclosure of their personal information by the federal government will meet the highest standards. For decades we have failed to meet that standard. As pressure mounts for new uses of data collected by the federal government, the necessity of a “fit for purpose” law increases.

I would like to point to three issues in particular with the federal rules governing privacy and their implications. First is the reporting power. The failure to engage in meaningful Privacy Act reform may be attributable in part to the lack of public awareness of the law and its importance. Privacy commissioners played an important role in educating the public about PIPEDA and broader privacy concerns. The Privacy Act desperately needs a similar mandate for public education and research.

Moreover, the notion of limiting reporting to an annual report reflects really a bygone era. In our current 24-hour social media-driven news cycle, restrictions on the ability to disseminate information—real information, particularly that which touches on the privacy of millions of Canadians—can't be permitted to remain outside the public eye until an annual report can be tabled. Where the commissioner deems it in the public interest, the office must surely have the power to disclose in a timely manner.

Second is limiting collection. The committee has heard repeatedly that the Privacy Act falls woefully short in meeting the standards of a modern privacy act. Indeed, at a time when government is expected to be the model, it instead requires less of itself than it does of the private sector.

A key reform, in my view, is the limiting collection principle, a hallmark of private sector privacy law. The government should similarly be subject to collecting only that information that is strictly necessary for its programs and activities. This is particularly relevant with respect to emerging technologies and artificial intelligence.

The Office of the Privacy Commissioner of Canada, which I know is coming in later this week, recently reported on the use of data analytics and AI in delivering certain programs. The report cited several examples, including Immigration, Refugees and Citizenship Canada's temporary resident visa predictive analytics pilot project, which uses predictive analytics and automated decision-making as part of the visa approval process; the CBSA's use of advanced analytics in its national targeting program with passenger data involving air travellers arriving in Canada; and the Canada Revenue Agency's increasing use of analytics to sort, categorize and match taxpayer information against perceived indicators of risks of fraud.

These technologies obviously offer great potential, but they also may encourage greater collection, sharing and linkage of data. That requires robust privacy impact assessments and considerations of the privacy cost benefits.

Finally, we have data breaches and transparency. Breach disclosure legislation, as I'm sure you know, has become commonplace in the private sector privacy world and it has long been clear that similar disclosure requirements are needed within the Privacy Act. Despite its importance, it took more than a decade in Canada to pass and implement data breach disclosure rules for the private sector, and as long as that took, we're still waiting for the equivalent at the federal government level.

Again, as this committee knows, data indicate that hundreds of thousands of Canadians have been affected by breaches of their private information. The rate of reporting of those breaches remains low. If the public is to trust the safety and security of their personal information, there is a clear need for mandated breach disclosure rules within government.

Closely related to the issue of data breaches are broader rules and policies around transparency. In a sense, the policy objective is to foster public confidence in the collection, use and disclosure of their information by adopting transparent open approaches with respect to policy safeguards and identifying instances where we fall short.

Where there has been a recent emphasis on private sector transparency reporting, large Internet companies, such as Google and Twitter, have released transparency reports. They've been joined by some of Canada's leading communications companies such as Rogers and Telus. Remarkably, though, there are still some holdouts. For example, Bell, the largest player of all, still does not release a transparency report in 2019.

Those reports, though, still represent just one side of the story. Public awareness of the world of requests and disclosures would be even better informed if governments would also release transparency reports. These need not implicate active investigations, but there's little reason that government not be subject to the same kind of expectations on transparency as the private sector.

Ultimately, we need rules that foster public confidence in government services by ensuring there are adequate safeguards and transparency and reporting mechanisms to give the public the information it needs about the status of their data and appropriate levels of access so the benefits of government services can be maximized.

None of that is new. What may be new is that this needs to happen in an environment of changing technologies, global information flows and an increasingly blurry line between public and private in service delivery.

I look forward to your questions.

May 4th, 2017 / 3:30 p.m.
See context

Daniel Therrien Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Thank you very much, Mr. Chair.

Ladies and gentlemen of the committee, thank you for the opportunity to appear before you to discuss the 2017-18 Main Estimates.

In the time allocated, I will first discuss the sustained demands on our office and the management of our financial resources. Secondly, I will talk about our policy agenda for this coming year.

In recent years, the Office of the Privacy Commissioner of Canada has maintained its efforts to find efficiencies and make optimal use of existing resources of slightly more than $24 million to be as effective as possible in addressing the privacy risks of an increasingly technological world.

Fiscal year 2017-18 will be no exception. Amidst competing demands, we will not lose sight of our mandate: ensuring that the privacy rights of Canadians are respected and that their personal information is protected.

In 2017-18, we will continue to fulfill our core mandate, which includes conducting investigations, examining breach reports, undertaking audits, reviewing privacy impact assessments or PIAs, providing guidance to individuals and organizations, and offering advice to parliamentarians.

On the investigations side, we have become more efficient in part through increased use of early resolution to find appropriate solutions. In 2015-16, 38% of complaints were resolved in this manner under the Privacy Act and 50% under the Personal Information Protection and Electronic Documents Act or PIPEDA. As a result, our response time on average was seven months for both public-sector and private-sector complaints.

However, the number of complex files is growing, which is creating a backlog of complaints that are not resolved after 12 months. In the coming year, I intend to devote temporary resources to address this situation.

In 2015-16, we received 88 new PIAs and completed 73 PIA reviews, in addition to opening 13 new consultation files. As you know, we would like to receive more PIAs and draft information sharing agreements, as we believe reviewing programs upstream is a good way to mitigate privacy risks.

In addition, we are taking steps to prepare for the coming into force of the breach provisions of Bill S-4. These new provisions will require private-sector organizations to report certain breaches to my office.

Public education and outreach are important activities to ensure Canadians are empowered to exercise their privacy rights and organizations are able to comply with their obligations. Last year, we revamped our website both in its structure and content to make it more user-friendly. This year, we will continue to update its content to provide helpful advice to Canadians.

We will continue to offer guidance to specific industry sectors deemed to be in need of greater privacy awareness, as well as vulnerable groups such as youth and seniors. We will also provide new guidance for individuals, and we will continue to advance our privacy priorities on issues such as online reputation, the body as personal information, the economics of personal information, and government surveillance.

Despite these efforts, we need to do much more to ensure that privacy rights are truly respected, a key condition for consumer trust and growth in the digital economy. Our goal is to complete all investigations within a reasonable time, to engage in some proactive enforcement, to give proactive advice to government, and to issue research-based guidance on most current and upcoming privacy issues.

In my annual report to be tabled in September, which will include our conclusions on improvements to the consent model and recommendations to amend PIPEDA, I will be able to bring more specificity to our compliance and proactive strategies. This, in turn, will inform a discussion on what might be an appropriate level of investment in OPC activities for the next few years.

I will now turn to some of the policy issues that we're seized with.

First is consent. Last May, my office released a discussion paper on issues related to privacy and consent. We then, through an extensive consultation process, sought input from industry, privacy experts, and Canadians. As mentioned, our final report will be released in September, and we will then work to implement the chosen solutions.

Second is online reputation. My office has also launched a consultation and call for submissions on the issue of online reputation as part of our efforts to address one of our strategic privacy priorities: reputation and privacy. We will share our policy position on online reputation before the end of the calendar year.

Third is legislative reform. My office has long stressed the need to modernize Canada's legal and regulatory frameworks. While the introduction of Bill S-4 was a positive development, Canada's federal private sector privacy law is now more than 15 years old. Technology and business models have changed. Our work on both consent and reputation will help inform the recommendations we will make to Parliament on reforming the law.

On the public sector side, I would like to express my gratitude to members of this committee for supporting my office's recommendations for modernizing the Privacy Act. My office now looks forward to participating in the government's review of the act to ensure that it meets the needs and expectations of Canadians, and in our view this work should proceed without delay.

On government surveillance, issues related to government surveillance will also form an important part of our policy agenda in the coming year. We note your recent report on SCISA, and we thank you for it. We also note the report just made public by SECU, the committee on national security, which also touched on information sharing under SCISA. We now await the measures the government will put forward to modify Bill C-51 to ensure that Canada's national security framework protects Canadians and their privacy.

We also have a number of investigations related to national security and government surveillance, and we are seeing heightened concerns from Canadians about privacy protections at the border and in the United States. Further to the adoption by President Trump of executive order 13768 of January 25, which deals with security in the interior of the United States, I had written to ministers to ask for confirmation that administrative agreements previously reached between Canada and the U.S. will continue to offer privacy protection to Canadians in the United States. Upon receipt of the government's response, which I expect shortly, I will inform Canadians of my conclusions.

In closing, to face the sustained volume but increased complexity of our work, we will continue this year to make the most efficient use of our resources as we have tried to do in the past.

Thank you, Mr. Chair. I look forward to questions from the committee.

March 21st, 2017 / 4:15 p.m.
See context

Dr. Michael Geist Canada Research Chair in Internet and E-commerce Law, Professor of Law, University of Ottawa, As an Individual


Good afternoon. My name is Michael Geist. I'm a law professor at the University of Ottawa where I hold the Canada research chair in Internet and e-commerce law. I appear here today in a personal capacity representing only my own views.

There's a lot that I would like to discuss given more time: stronger enforcement through order-making power; the potential for Canada's anti-spam legislation to serve as a model, at least on the issues of tougher enforcement and consent standards; and the mounting concerns with how copyright rules may undermine privacy. But given my limited time, I'll focus at least for these opening remarks on three issues: privacy reform pressures, consent, and transparency.

First, on the issue of reform, I had the honour of appearing before both the House and Senate committees on Bill S-4, which was ostensibly the effort to update PIPEDA by implementing recommendations that were first made in 2006. At the time it was obvious that further changes were needed. In fact, the ongoing delays in implementing even aspects of that bill, security breach notification, for example, shows how painfully slow the process of updating Canada's privacy laws has been.

I believe there's an increased urgency to address the issue. You've already heard from some and may hear from others about developments in Europe with the GDPR, which could threaten Canada's adequacy standing with European privacy officials.

But there's another international development that I think could have a significant impact on Canadian privacy law that bears attention. That's our trade deals and trade negotiations. The upcoming NAFTA renegotiations seem likely to include U.S. demands that Canada refrain from establishing so-called data localization rules that mandate the retention of personal information on computer servers located in Canada. Data localization has become an increasingly popular policy measure as countries respond to concerns about U.S.-based surveillance and the subordination of privacy protections for non-U.S. citizens and residents under the Trump administration.

Now, in response to those mounting concerns, leading technology companies like Microsoft, Amazon, and Google have established or committed to establish Canadian-based computer server facilities that can offer up localization of information. Those moves follow on the federal government's own 2016 cloud computing strategy that mandated that certain data be stored in Canada.

If we look at the Trans-Pacific Partnership, the TPP, we see that it included restrictions on the ability to implement data localization requirements at the insistence of U.S. negotiators. It seems likely that those same provisions will resurface during the NAFTA talks.

So too, I would argue, will limitations on data transfer restrictions which mandate the free flow of information on networks across borders. Those rules are unquestionably important to preserve online freedoms in countries that have a history of cracking down on Internet speech. But in a Canadian context they could restrict the ability to establish privacy safeguards. In fact, should the European Union mandate data transfer restrictions, as many experts expect, Canada could find itself between the proverbial privacy rock and a hard place, with the European Union requiring restrictions and NAFTA prohibiting them.

Secondly, I want to focus on consent. As you know, privacy laws around the world differ on many issues, but they all share a common principle: collection, use, and disclosure of personal information requires user consent, an issue that has become increasingly challenged in a digital world where data is continuously collected and can be used for a myriad of previously unimaginable ways.

Now, rather than weakening or abandoning consent models, I believe the Canadian law needs to upgrade its approach by making consent more effective in the digital environment. There's little doubt that the current model is still too reliant on opt-out policies in which businesses are entitled to presume that they can use their customers' personal information unless those customers inform them otherwise. Moreover, cryptic privacy policies often leave the public confused about the information that may be collected or disclosed, creating a notion of consent that is largely fiction not fact.

How can we solve some of the problems with the current consent-based model? I'd identify at least four proposals. First, we should implement an opt-in consent approach as the default approach. At the moment, opt-in is only used where strictly required by law or for highly sensitive information, such as health or financial data. That means that the vast majority of information is collected, used, and disclosed without informed consent.

Second, since informed consent depends upon the public understanding how their information will be collected, used, and disclosed, the rules associated with transparency must be improved. The use of confusing negative-option check boxes that leave the public unsure about how to exercise their privacy rights should be rejected as an appropriate form of consent. They never know if they should be clicking or unclicking a box to protect their privacy.

Moreover, given the uncertainty associated with big data and cross-border data transfers, new forms of transparency and privacy policies are needed. For example, algorithmic transparency would require search engines and social media companies to disclose how information is used to determine the content displayed to each user. Data transfer transparency would require companies to disclose where personal information is stored and when it may be transferred outside of the country.

Third, effective consent means giving users the ability to exercise their privacy choices. Most policies are offered on a “take it or leave it” basis, with little room to customize how information is collected, used, and disclosed. Real consent should mean real choice.

Fourth, stronger enforcement powers are needed to address privacy violations. The rush that we saw in Canada to comply with Canada's anti-spam laws was driven by the inclusion of significant penalties for violation of the rules. Canadian privacy law today is still premised largely on moral suasion or fear of public shaming, not tough enforcement backed by penalties. If we want the privacy rules to be taken seriously, there must be serious consequences when companies run afoul of the law.

Finally, I'll say a word on transparency and reporting. As many of you will know, in recent years, the stunning revelations about requests and disclosures of the personal information of Canadians—millions of requests, the majority without court oversight or warrant—point to an enormously troubling weakness in Canada's privacy laws. Simply put, most Canadians have no awareness of these disclosures and are shocked to learn how frequently they occur.

There's been a recent emphasis on private sector transparency reporting. Large Internet companies such as Google and Twitter have released transparency reports. Twitter released their 10th annual report today, and they've been joined by some of Canada's leading communications companies, such as Rogers and Telus.

Despite the availability of a transparency reporting standard that was approved by the government and the Privacy Commissioner, there are still some holdouts. The problem lies with the non-binding approach with respect to transparency disclosures.

I obtained some information under the Access to Information Act, and learned that after an industry-wide meeting organized by the Privacy Commissioner in April 2015, Rogers noted the following:

It was indicated at this meeting that any guidelines adopted would fall short of regulation, but would be regarded as more substantive than voluntary guidelines.

Yet, if the non-regulatory approach does not work, it falls to either the federal Privacy Commissioner or the government to take action.

The most notable company to refrain from meeting these transparency standards is Bell Canada, Canada's largest telecommunications company. Bell initially claimed that it was waiting for a standard from the Privacy Commissioner, but now, almost a year after that standard has been released, they still have not released the transparency report. Millions of Canadians still don't know when, under what circumstances, and with what frequency Bell discloses their subscriber information. In my view, that's simply unacceptable.

If the current law doesn't mandate such disclosures there is a problem with the law, and reform requiring transparency disclosures with real penalties for failure to do so is needed. I don't need to tell you that scarcely a day goes by without some media coverage of a privacy-related issue. I think it is clear that the public is concerned with their privacy, and it is also clear that the business community has come to recognize the value of personal information. It is time for the law to catch up.

I look forward to your questions.

February 16th, 2017 / 5:05 p.m.
See context

Executive Director, B.C. Freedom of Information and Privacy Association

Vincent Gogolek

Federally, we would be looking for something stronger than what's currently in PIPEDA, but of course there is breach notification right now as a result of Bill S-4 from the last Parliament.

February 16th, 2017 / 4:10 p.m.
See context

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

That's part of Bill S-4, which will come into force soon.

October 4th, 2016 / 12:05 p.m.
See context

Acting Commissioner, Office of the Information and Privacy Commissioner of British Columbia

Drew McArthur

In a recent presentation I made I highlighted some of the shifts in moving from being regulated to being a regulator. It's been an interesting learning curve for me and I've become more sensitive to some of the issues.

Specifically I'll talk about mandatory breach notification. When I was in the private sector, we worked very hard to come up with voluntary breach notification guidelines, and we worked with the privacy commissioners across the country to implement those as guidelines for organizations. I now see those embodied in the federal privacy legislation, Bill S-4. When the regulations are implemented, we will see that for federal private sector organizations. We see it in Alberta, and we've recommended it in B.C., and the B.C. government has accepted that.

What was once voluntary in the private sector is now becoming de facto standard of being mandatory. We also note that in Europe the general data protection authority has come out to indicate that mandatory breach notification is required. I'll also note that they've taken a few steps further than that, and it's going to be significant for Canada to continue to be substantially similar with the requirements of GDPR for the free flow of information as it relates in the private sector for organizations that operate multinationally.

October 4th, 2016 / 11:25 a.m.
See context

Acting Commissioner, Office of the Information and Privacy Commissioner of British Columbia

Drew McArthur

Thank you very much for the invitation.

My office provides independent oversight and enforcement over B.C.'s access and privacy laws. The enforcement and oversight extends to over 2,900 public bodies, including ministries, local governments, schools, crown corporations, hospitals, municipal police forces, and more. They're subject to B.C.'s public sector privacy law, the Freedom of Information and Protection of Privacy Act or FIPPA.

It extends to over 380,000 private sector organizations, including businesses, charities, associations, trade unions, trusts, and more that are subject to B.C.'s Personal Information Protection Act or PIPA.

Today I am going to focus my comments on three areas that are part of the deliberations of this committee to which the B.C. experience may be informative: commissioners order-making powers, an explicit obligation to safeguard personal information, and mandatory breach notification. Under order-making power and mediation and consultation, in British Columbia the mandate of the office includes the promotion of access and privacy rights, public education, advice to public bodies and businesses, investigation of complaints, mediation, and independent adjudication. These functions are complementary, and in my opinion, best delivered under one roof. It would be extremely difficult for another administrative tribunal or court to attain the same level of expertise and provide for efficient and timely resolutions for citizens.

Privacy and access to information issues are dynamic in the modern digital world. It's in the interests of organizations, individuals, and public bodies that the individuals making legal and binding decisions have the requisite skills and up-to-date knowledge about what is happening on the ground. Having the responsibility for adjudication plus advocacy, education, and investigation ensures the necessary expertise in the law. Our adjudicators receive the same technical training and professional development as our investigators, and are routinely exposed to new technologies, emerging ideas, and global trends affecting privacy and access to information law.

Combining the investigation and adjudication into one office provides clear benefits to citizens. Combining those provides one-stop shopping for citizens. This clarity and convenience is important. There is no confusion about which oversight agency or tribunal citizens need to direct their complaint to. They need merely to address our office. Citizens don't feel as though they are caught in or bounced around an unnecessarily bureaucratic system.

We have not found that the public education or the advisory functions of a commissioner pose a risk of undermining the adjudicative function. We do take steps to protect the integrity of the adjudication process. For example, no information about investigative files or attempts at informal resolution are ever disclosed to the adjudicators. The adjudicators do not report to the same supervisor, and they are not located on the same floor as the investigators.

When providing the public with advice and consultation, we clarify that our view is based on the information provided at the time, and that it is not binding on the commissioner with respect to making a formal finding in the event that we receive a future complaint.

In our consultations, we communicate about general principles and recommend best practices without prejudging individual cases. We are able to perform these various roles effectively because our legislation also explicitly gives us these powers and spells them out in detail.

Adjudication enhances our ability to resolve issues through mediation. The adjudicative function lends greater authority to our investigators by focusing the minds of the parties, and it provides an incentive to both parties to avoid formal adjudication. As a result, we resolve 90% of our complaints and reviews in mediation. In the last year we had 1,056 complaints and requests for review, of which only 109 went to inquiry. Of those that went to inquiry, only a little over 1% were judicially reviewed.

The fact that we have public education and advisory functions, complemented by investigative powers, with the ultimate ability to order compliance through our adjudicative function, gives us a level of authority that can influence the public and the government. Without that complete suite of functions, we would not have that same level of influence.

B.C.'s public sector privacy law has an explicit requirement for public bodies to safeguard personal information. We consider this legislative requirement as being fundamental to a public body's responsibility for the personal information it collects from citizens. Given the negative repercussions that can occur to citizens in the event of a breach of their personal information, it's almost unbelievable that a privacy protection statute would not incorporate this requirement.

Section 30 of our act states:

a public body must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.

Citizens rely on this section and expect that a public body is taking adequate measures to protect their personal information. It's the legislative requirement in most jurisdictions across Canada and internationally. Having this requirement in legislation is important from the perspective of public trust, as a clear and binding requirement on public bodies. It indicates the importance that governments place on this requirement.

While B.C.'s legislation does not explicitly address physical, organizational, and technological measures commensurate with the sensitivity of the data, our office has set out similar expectations in investigation reports and orders. In my view, placing this language explicitly in the legislation would be consistent with international standards regarding the protection of personal information.

Also, we have been clear that, as our province's regulator, we evaluate “reasonable security arrangements” on an objective basis, and that the determination of what is reasonable is contextual. The standard is not one of perfection but varies based on the sensitivity and the amount of personal information in question.

On breach notification, a privacy breach occurs when there is unauthorized access, collection, use, or disclosure of personal information. It is unauthorized if it occurs in contravention of one of our privacy laws. An important element of safeguarding personal information is ensuring that the privacy commissioner and affected individuals are notified when a privacy breach occurs.

Privacy breaches can carry significant costs. They put individuals at risk for identity theft and serious financial or reputational harms. They can also result in a loss of dignity and a loss of confidence in public bodies. We trust public bodies with some of our most sensitive and comprehensive personal information: social security records, tax data, health information, financial information, and the list goes on. We have no choice but to provide that information to the public bodies.

It seems every week that privacy breaches are reported in the media. We hear about laptops and portable storage devices being lost or stolen, human error resulting in disclosure, unauthorized access, or snooping as well as cyber-attacks.

Breach reporting in B.C. is currently voluntary in both the private and public sector. However, my office has recommended that it be made a mandatory requirement, and let me explain why. In British Columbia, we examined the government's privacy breach management process and we published those results in 2015. We learned that nearly 3,000 breaches were reported to government during the period of 2010 to 2013, but only 30 of those had been reported to my office. This told us that, under a voluntary reporting requirement, my office was receiving reports of only about 1% of all the breaches that occur within government ministries. Of those, the majority, 72%, were classified as “administrative errors”. The breakdown of other types of breaches included unauthorized disclosures at 16%, lost or stolen at 4%, unauthorized access at 3%, and cyber-attacks or phishing at less than 1%.

It shows that it's important to set out a clear threshold where notification must occur. We don't want to hear about every breach, but we need to know about the important ones. In B.C., we have recommended that the threshold be where the breach would be reasonably expected to cause harm to an individual, or where the breach involves a large number of individuals.

Mandatory breach reporting to a privacy commissioner also means that the commissioner's office can work with public bodies to learn from their mistakes and implement lasting preventative strategies. Mandatory breach notification also ensures that affected individuals are made aware of breaches without unreasonable delay, so they can take the important steps to protect themselves.

For these reasons, my office has recommended to the legislative committees reviewing B.C.'s privacy statutes that mandatory breach notification be added as a requirement. Both of these committees agreed and recommended in their final reports that the privacy laws for the public and the private sectors be amended to require breach notification to the commissioner and to affected individuals in the event of a privacy breach. The B.C. government has stated that it is committed to addressing mandatory breach notification at the next available legislative opportunity.

The federal Bill S-4 added breach notification requirements to Canada's private sector privacy law, and it is difficult for me to understand why the government would not hold itself to the same standard as it holds the private sector.

That concludes my remarks.

September 29th, 2016 / 11:05 a.m.
See context

Dr. Michael Geist Canada Research Chair in Internet and E-commerce Law and Professor of Law, University of Ottawa, As an Individual

Thank you.

Good morning, everyone. As you heard, my name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law.

My areas of specialty are digital policy, intellectual property, and privacy. I served for many years on the Privacy Commissioner of Canada's external advisory board, and I have been privileged to appear before many committees on privacy issues, including things such as PIPEDA, Bill S-4, Bill C-13, the Privacy Act, and this committee's earlier review a number of years ago on social media and privacy.

I appear today though, as always, in a personal capacity representing only my own views. As you know, there is a sense of déjà vu when it comes to Privacy Act reviews. We have had many studies and successive federal privacy commissioners who have tried to sound the alarm on legislation that is viewed, as you just heard, as outdated and inadequate. I think that Canadians rightly expect that the privacy rules that govern the collection, use, and disclosure of information by and within the federal government will meet the highest standards, and for decades we have failed to meet that standard.

I would like to quickly touch on some Privacy Act concerns, but with your indulgence I'll talk a bit about some of the other broader privacy law environment issues in Canada that I think are really directly related to the Privacy Act.

First though, on the Privacy Act—and this is going to sound familiar as I have flagged some of the same issues that David did—I think the Privacy Commissioner of Canada has provided this committee with many very good recommendations, and I endorse the submission. As you know, most of those recommendations are not new. Successive commissioners have asked for largely the same changes, and successive governments of all parties have failed to act.

I want to highlight four issues in particular with respect to the current law, and as I say, David has flagged some of them already. The first is education and the ability to respond. The failure to engage in meaningful Privacy Act reform may be attributable, at least in part, to the lack of public awareness of the law and its importance. I think the Privacy Commissioner plays an important role in educating the public, and has done so on PIPEDA and broader privacy issues. The Privacy Act really needs a similar mandate for public education and research. Moreover—and you just heard this—the notion of limited reporting through an annual report, I think, reflects a bygone era. In our current 24-hour, social-media-driven news cycle, restrictions on the ability to disseminate information, particularly information that can touch on the privacy of millions of Canadians, can't be permitted to remain outside of the public eye and left for annual reports when they are tabled. Where the commissioner deems doing so to be in the public interest, the office must surely have the power to disclose in a timely manner.

I also think we need to think about strengthening protections. As you've heard, the Privacy Act falls woefully short of meeting the standards of a modern privacy act. Indeed, at a time when government is expected to be a model, it instead requires far less of itself than it does of the private sector. A key reform, in my view, is the principle of limiting collection, a hallmark of private sector privacy law. The government should similarly be subject to collecting only that information that is strictly necessary for its programs and activities.

I'd also flag, as David did, breach disclosure, which has been commonplace in the private sector privacy world, and it has long been clear that similar disclosure requirements are needed within the Privacy Act. The Treasury Board guidelines are a start, but legal rules, in my view, are essential. In fact, the need for reform is even stronger given the absence of clear security standards within the act. Provisions that establish such standards and mandate disclosure in the event of a breach are crucial to establishing an appropriate level of accountability and ensuring that Canadians can guard against potential identity theft and other harms.

The final issue is privacy impact assessments. As you all know, privacy touches us in many ways, and it similarly is implicated in many pieces of legislation. I recall that during the last session of Parliament, the Privacy Commissioner regularly appeared before committees to provide a privacy perspective on many different pieces of legislation. This approach of coming in after the legislation has been drafted at the committee, I think, runs the risk of rendering privacy as little more than just an afterthought. It's more appropriate to conduct a privacy impact assessment before legislation is tabled, or, at a minimum, at least before it's implemented.

Those are some of the issues on the Privacy Act side, but as I said, I wanted to talk about three bigger picture issues that I think are some of the moving parts in the federal privacy world.

The first has to do with Bill C-51's information-sharing provisions. I realize the government is currently consulting on national security policy, and there's, as you know, a particular emphasis on Bill C-51. From my perspective, one of the biggest problems was the information-sharing provisions. The privacy-related concerns stem from an act within the act in Bill C-51's Security of Canada Information Sharing Act. As you may know, the sharing of information went far beyond information related to terrorist activity.

It permits information sharing across government for an incredibly wide range of purposes, most of which have little to do with terrorism. The previous government tried to justify the provisions on the grounds that Canadians would support sharing of information for national security purposes, but the law now allows sharing for reasons that I think would surprise and disturb many Canadians, given how broadly those provisions can be interpreted.

Further, the scope of sharing is very broad, covering 17 government institutions, many of which are only tangentially related, if at all, to national security. The background paper on the national security consultation raises the issue, but in my view appears to largely defend the status quo, raising only the possibility, it seems to me, of tinkering with some clarifying language. If we don't address the information-sharing issue, I fear that many of the potential Privacy Act improvements will be undermined. I think this requires a wholesale re-examination of information sharing within government and the safeguards that are there to prevent misuse.

Second, I want to talk about transparency and reporting from a slightly different perspective. As many of you may know, in recent years, there have been stunning revelations about requests and disclosure of personal information of millions of Canadians, millions of requests, the majority of which are without court oversight or warrant, which I think points to a real weakness within Canada's privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used.

Recent emphasis has been on private sector transparency reporting. Large Internet companies such as Google and Twitter have released transparency reports, and they have been joined by some of Canada's leading communications companies such as Rogers and Telus. There are still some holdouts, notably Bell, but we have a better picture of requests and disclosures than we did before. However, these reports represent just one side of the picture. Public awareness of requests and disclosures would be far more informed if government also released transparency reports. These need not implicate active investigations, but there is little reason for government to not be subject to the same expectations on transparency as we expect of the private sector. Indeed, the Liberal Party focused on transparency in its election platform. Improvements to access to information are absolutely critical, but transparency is about more than just opening the doors to requests for information. Proactive disclosure of requests for Canadians' information should be part of the same equation.

Third and finally, I want to talk briefly about government-mandated interception capabilities and decryption. The public safety consultation that I referenced, which was launched earlier this month, has been largely characterized as a C-51 consultation, but it's much more. The return of lawful access issues threatens to scrap the 2014 lawful access compromise, and I think raises some really serious privacy concerns.

For instance, the consultation implies that “lack of consistent and reliable technical intercept capability on domestic telecommunication networks” represents a risk to law enforcement investigations. Yet left unsaid is that the prior proposed solutions in the form of government-mandated interception capabilities for telecommunications companies were rejected due to the enormous cost, inconsistent implementation, and likely ineffectiveness of standards that would exempt many smaller providers. Creating government-mandated interception capabilities for all providers represents an enormous privacy risk that I think runs roughshod over both PIPEDA and the Privacy Act.

Further, the consultation places another controversial policy issue on the table, noting that encryption technologies are “vital to cybersecurity, e-commerce, data and intellectual property protection, and the commercial interests of the communications industry”, but lamenting that some of those same technologies can be used by criminals and terrorists.

Given its widespread use and commercial importance, few countries have imposed decryption requirements. This year's controversy involving access to data on an Apple iPhone that was owned by the San Bernardino, California, shooter revived debate over access to encrypted communications. The consultation asks Canadians to comment on circumstances under which law enforcement should be permitted to compel decryption. A move toward compelling decryption, in my view, would place more than just our privacy at risk. It would also place our innovation strategy and personal security in the balance.

In conclusion, fixing the Privacy Act is long overdue. There is little mystery about what needs to be done. Indeed, there have been numerous studies and a steady stream of privacy commissioners who have identified the problems and called for reform. What has been missing is not a lack of information, but rather, with all respect, a lack of political will to hold government to the same standard that it holds others.

I look forward to your questions.

September 29th, 2016 / 11 a.m.
See context

David Fraser Partner, McInnes Cooper, As an Individual

Thank you very much.

Thank you for the opportunity to speak about this statute, which is one of the most important statutes we have to regulate the interaction between individual citizens and their government.

The Privacy Act was great for the 1980s, but much has changed since then. This committee has heard a lot about changes in technology, but I think one overarching consideration is changes in people's expectations. We have seen developed, in a number of different jurisdictions across Canada, much more modern privacy laws. We have the Personal Information Protection and Electronic Documents Act, which regulates the private sector and is based on fair information practices. I believe this committee has also heard a lot about the new ATIPPA statute in Newfoundland. You had the benefit of speaking to the committee responsible for the report that led to its complete revamp.

One thing worth noting, when you are looking at this statute compared with other more modern privacy statutes, is that consent generally does not work in the government context. Individual citizens don't choose, for example, the government with which they deal, compared with choosing which bank they go to, and things like that.

One thing I want to emphasize, first and foremost, is that I have had the opportunity to review and actually contribute to the Canadian Bar Association's submissions over the years. Although I am speaking in my own capacity, I generally agree with everything that's in there. Also, I am in general agreement with what has been noted and asked for in the Privacy Commissioner's submissions to this committee over the course of a number of years. There are a couple of things I would like to specifically highlight that I think are important to look at.

One is what could be a basic technical fix, which is to remove the requirement that personal information be recorded in order to be subject to the statute. Information that is just stated orally, that is handed over.... The statute can be interpreted such that the disclosure of information orally is not captured within the statute, and that is a significant gap.

I also think that there should be a provision in the statute to clarify that the work product of public servants should not be considered to be personal information of those public servants. This statute should work hand in hand with the Access to Information Act to encourage transparency of government operations. Unwarranted calls for privacy standing up in the face of government transparency are problematic and something that can be quite easily addressed.

The rest of my recommendations or suggestions would probably be lumped in under three different categories: accountability, transparency, and overall making the statute effective.

Under the accountability banner, I would think that we need more clarity, as citizens, about how government manages the personal information of its citizens. We have the personal information banks and info source systems, which I don't think are entirely effective. There needs to be more proactive disclosure to citizens about how their information is used, who is responsible for it, and which government department is using it.

There should also be a necessity test, which is something this committee has heard about, with respect to the collection of personal information. The government institution should collect only information that is necessary for its functioning activities.

I think there should also be an element of personal accountability within the statute, which is missing. Many more modern privacy laws, particularly health privacy laws but also others across the country, have an offence provision that if an individual or even an institution, unlawfully and usually with knowledge, is in violation of the statute, they can be charged under that. We have seen a large number of privacy breaches across the country related to individuals just browsing through large databases for their own entertainment, and charges being brought against those individuals in various provinces. I think that's something that should be introduced into the Privacy Act.

Under the heading of transparency, fair information practices are generally based on notice and consent. As I said, consent isn't something that generally works in the public sector context, but I do think that there needs to be more proactive communication to citizens about what the information is going to be used for in order to justify its collection. Other jurisdictions regularly include privacy notices on the forms that they require citizens to complete, letting them know and setting their expectations with respect to why the information is necessary, how it is going to be used, who is going to be the custodian of that information, and how they can get access to it and have it corrected, if necessary, to exercise their other rights under the statute.

Also in connection with transparency, I think that the Privacy Act should specifically give the commissioner an education mandate, but along with that it should also give the commissioner the ability to publish reports of findings of investigations under the Privacy Act.

Currently the commissioner publishes such findings for private sector investigations, but we need more guidance. Transparency about what the government is doing with respect to personal information would be significantly served if there were such an obligation, or at least the mandate and the ability for the commissioner to report findings. In the annual report that the commissioner issues each year, there are summaries of some notable cases, but I think we would all benefit from understanding what government departments are doing with people's personal information. Having that information out there, particularly if it's found that the government department has not acted properly, would serve a significant education mandate for all government departments, but also for citizens generally.

I do think we need to have breach notification if there's a breach of security safeguards, similar to what was added to PIPEDA in the Digital Privacy Act, an obligation on the part of the government institution to notify both the Privacy Commissioner and notify affected individuals if a proper threshold has been met. I think the one in the Digital Privacy Act is a reasonable one.

Then ultimately, there's making it effective. I'm not a fan of order-making powers. I think the ombuds model works, but I have come around to see the wisdom of the Newfoundland hybrid model, where if a government department is not going to follow a recommendation with respect to any obligation under the Privacy Act—collection, use, disclosure, or other safeguards—the department should have to stand up in front of a court and justify it and explain why it doesn't have to. In effect, that puts the onus on the government department, and we would end up with a body of case law that would be more clear. That could be by an expedited application process, which is already the procedure under PIPEDA, so that these don't turn into significant, huge federal cases.

Those are the highlights of my recommendations for the statute. It is really outdated, really antiquated, and I don't think it accords with the evolved expectations of individuals about how their information is going to be collected, used, and disclosed. We shouldn't tolerate a quasi-constitutional statute that's at least two generations out of date.

Thank you very much.

May 3rd, 2016 / 9:40 a.m.
See context

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The notice that we currently receive voluntarily, which will be mandatory once Bill S-4 comes into force, comes into our PIPEDA investigation group. There is one person who receives these notices. In the notice from the organization, the company describes certain facts and tries to assess the impact. We review that. We give advice to the company.

When the case is particularly of concern, as we have seen in some cases, we can actually start an investigation, which is in the broader group of investigators within the PIPEDA group.

The vast majority of breaches will lead simply to reading the report given to us by the company in question and giving advice—or not, depending on the situation. In a minority of cases, a full investigation will occur.

May 3rd, 2016 / 9:40 a.m.
See context


Raj Saini Liberal Kitchener Centre, ON

Now with Bill S-4, you are going to have more reporting, breach reporting, that will come from the private sector.

Just for those of us who are not well-informed of the protocol, just so we understand where the resources should be allocated, can you give us a very brief overview of the way a breach flows thorough the system once it is reported, so we know what components are involved in assessing that breach?

May 3rd, 2016 / 9:15 a.m.
See context

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Sure. I would start with the fact that very few of these cases lead to court action. I'll distinguish between the public and the private sector again.

Under the public sector rules, there is now a directive from the Treasury Board that mandates departments to notify my office and the Treasury Board when there is a significant or material breach in a department. We've not been funded to do that work, so we had to reallocate from other places. Essentially there is one person in the office who deals with these cases.

We receive reports from departments. In the public sector there are roughly 300 of these breach notifications every year. There is one person to review these reports at the office. We look at what the department tells us in terms of the nature and the potential impact of the breach. We give some advice, but with few resources the examination is relatively superficial.

On the private sector side, there is no obligation at this point for companies to notify us. Some companies notify us voluntarily. Under Bill S-4, which was adopted by Parliament last year, when regulations are adopted, there will be a legal obligation for companies to notify us, but again, there will be no funding. We're talking about hundreds of notifications per year given to our office. We have one person on the public sector side and one on the private sector side to look at these. By necessity we review fairly superficially what the departments tell us or what the companies tell us.

To add to this, as you know, there are other statistics out there that suggest there are many more breaches than those our office is actually notified about.

I think the issue of breaches is a significant problem. We do what we can with these two people who are devoted to these analyses. Given the importance of the issue of breaches, it's a concern for me that we have as few resources as we do to devote to these issues.

May 3rd, 2016 / 9:10 a.m.
See context


Daniel Blaikie NDP Elmwood—Transcona, MB

My understanding is that with Bill S-4 you'll be anticipating an increase in the number of investigations relating to the private sector. Is that right?

June 18th, 2015 / 4:20 p.m.
See context


The Speaker Conservative Andrew Scheer

I have the honour to inform the House that when the House did attend His Excellency the Governor General in the Senate Chamber, His Excellency was pleased to give, in Her Majesty's name, the royal assent to the following bills:

Bill C-247, An Act to expand the mandate of Service Canada in respect of the death of a Canadian citizen or Canadian resident—Chapter 15.

Bill C-452, An Act to amend the Criminal Code (exploitation and trafficking in persons)—Chapter 16.

Bill C-591, An Act to amend the Canada Pension Plan and the Old Age Security Act (pension and benefits)—Chapter 17.

Bill S-3, An Act to amend the Coastal Fisheries Protection Act—Chapter 18.

Bill S-6, An Act to amend the Yukon Environmental and Socio-economic Assessment Act and the Nunavut Waters and Nunavut Surface Rights Tribunal Act—Chapter 19.

Bill C-51, An Act to enact the Security of Canada Information Sharing Act and the Secure Air Travel Act, to amend the Criminal Code, the Canadian Security Intelligence Service Act and the Immigration and Refugee Protection Act and to make related and consequential amendments to other Acts—Chapter 20.

Bill C-46, An Act to amend the National Energy Board Act and the Canada Oil and Gas Operations Act—Chapter 21.

Bill C-2, An Act to amend the Controlled Drugs and Substances Act,—Chapter 22.

Bill C-26, An Act to amend the Criminal Code, the Canada Evidence Act and the Sex Offender Information Registration Act, to enact the High Risk Child Sex Offender Database Act and to make consequential amendments to other Acts—Chapter 23.

Bill C-63, An Act to give effect to the Déline Final Self-Government Agreement and to make consequential and related amendments to other Acts—Chapter 24.

Bill C-66, An Act for granting to Her Majesty certain sums of money for the federal public administration for the financial year ending March 31, 2016—Chapter 25.

Bill C-67, An Act for granting to Her Majesty certain sums of money for the federal public administration for the financial year ending March 31, 2016—Chapter 26.

Bill C-42, An Act to amend the Firearms Act and the Criminal Code and to make a related amendment and a consequential amendment to other Acts—Chapter 27.

Bill C-555, An Act respecting the Marine Mammal Regulations (seal fishery observation licence)—Chapter 28.

Bill S-7, An Act to amend the Immigration and Refugee Protection Act, the Civil Marriage Act and the Criminal Code and to make consequential amendments to other Acts—Chapter 29.

Bill C-12, An Act to amend the Corrections and Conditional Release Act—Chapter 30.

Bill C-52, An Act to amend the Canada Transportation Act and the Railway Safety Act—Chapter 31.

Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act—Chapter 32.

Bill S-2, An Act to amend the Statutory Instruments Act and to make consequential amendments to the Statutory Instruments Regulations—Chapter 33.

Digital Privacy ActGovernment Orders

June 18th, 2015 / 3:05 p.m.
See context


The Speaker Conservative Andrew Scheer

Pursuant to an order made on Wednesday, June 17, the House will now proceed to the taking of the deferred recorded division on the amendment of the member for Victoria on the motion at third reading of Bill S-4.

Call in the members.