Bill S-4 (Historical)

Digital Privacy Act

An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act

This bill was last introduced in the 41st Parliament, 2nd Session, which ended in August 2015.

Status

This bill has received Royal Assent and is now law.

Summary

This is from the published bill. The Library of Parliament often publishes better independent summaries.

This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things,
(a) specify the elements of valid consent for the collection, use or disclosure of personal information;
(b) permit the disclosure of personal information without the knowledge or consent of an individual for the purposes of
(i) identifying an injured, ill or deceased individual and communicating with their next of kin,
(ii) preventing, detecting or suppressing fraud, or
(iii) protecting victims of financial abuse;
(c) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of an individual, personal information
(i) contained in witness statements related to insurance claims, or
(ii) produced by the individual in the course of their employment, business or profession;
(d) permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions;
(e) permit federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual;
(f) require organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner;
(g) require organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control;
(h) create offences in relation to the contravention of certain obligations respecting breaches of security safeguards;
(i) extend the period within which a complainant may apply to the Federal Court for a hearing on matters related to their complaint;
(j) provide that the Privacy Commissioner may, in certain circumstances, enter into a compliance agreement with an organization to ensure compliance with Part 1 of the Act; and
(k) modify the information that the Privacy Commissioner may make public if he or she considers that it is in the public interest to do so.

Elsewhere

All sorts of information on this bill is available at LEGISinfo, an excellent resource from the Library of Parliament. You can also read the full text of the bill.

Votes

June 18, 2015 Passed That the Bill be now read a third time and do pass.
June 18, 2015 Failed That the motion be amended by deleting all the words after the word “That” and substituting the following: “this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it: ( a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected; ( b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies; ( c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances; ( d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and ( e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”.
June 2, 2015 Passed That Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, as amended, be concurred in at report stage and read a second time.
June 2, 2015 Failed
June 2, 2015 Failed
May 28, 2015 Passed That, in relation to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, not more than one further sitting day shall be allotted to consideration at the report stage and second reading stage of the Bill and one sitting day shall be allotted to consideration at the third reading stage of the Bill; and That, 15 minutes before the expiry of the time provided for Government Orders on the day allotted to the consideration at the report stage and second reading stage of the said Bill and on the day allotted to consideration at the third reading stage of the said Bill, any proceedings before the House shall be interrupted, if required for the purpose of this Order, and, in turn, every question necessary for the disposal of the stage of the Bill then under consideration shall be put forthwith and successively, without further debate or amendment.

March 10th, 2015 / 12:40 p.m.
See context

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

Thank you, Mr. Chair.

I found it interesting to listen to all of the testimony first before getting a chance to talk.

Ms. Lawson and Mr. Geist both made similar statements. I wrote down that Ms. Lawson said, “We should be getting it right” and Mr. Geist that “We have to get it right”.

Interestingly, of course, I think that when we have these hearings, “right” means “the way you want it”. Ultimately, there have been other witnesses who have come before committee and said very different things. If the definition of “getting it right” means, for example, agreeing with those who said that consent provisions go too far, which we heard in the previous meeting, I don't imagine you would think it means we're getting it right.

Someone said that our data breach reporting regime is too onerous. If we decided that was the direction to go in, I'm quite certain that neither of you would say that this is “getting it right”. When anyone uses this term, I always hearken back to our hearings on anti-spam and copyright and even UBB. People's definitions of getting it right are very different. As in those cases, we're left to try to find the balance between very different, competing positions, and I think the case with this bill is no different.

Taking a look at three of the areas that have come up, I find it interesting....

Ms. Lawson, I'm going to come to you first and deal with section 20. You mentioned you had some concern with that section, I think around the confidentiality provision written into Bill S-4.

March 10th, 2015 / 12:35 p.m.
See context

NDP

Annick Papillon NDP Québec, QC

What you are saying is interesting.

Let's come back to Quebec. Quebec legislation relating to the protection of digital privacy sets out exceptions that allow a business to gather or disclose any personal information without the consent of the individual concerned, but these exceptions are very limited and include, for example, situations involving a criminal investigation.

Do you think Bill S-4 could be inspired by what has been done in Quebec?

March 10th, 2015 / 12:30 p.m.
See context

Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual

Dr. Michael Geist

Thanks for raising that. It's worth noting that this whole notion of security breach disclosure actually originated out of California, with the idea of creating sort of the perfect world of incentives for companies to do a better job of securing the information, because they don't want to have to go through the cost and potential embarrassment of disclosure. At the same time, it creates incentives or protection for users because they become aware of these disclosures when they happen.

What we've got under Bill S-4 is such a high threshold, and I think Ms. Lawson referenced this as well, that if the standard is only a real risk of significant harm and we don't have big penalties associated with non-disclosure to begin with, at least if you're a larger organization, in many instances, I think it's going to be quite rational, frankly, for an organization not to disclose. They're going to ask, first, what's the risk that anyone will ever find out about this? Second, if they do happen to find out about it and someone shows that there was a real risk of significant harm, then we will face a penalty. But even there, the penalties are relative low.

So what the California law does is to say that we want to ensure that if we're going to err on one side or the other, it's will be to err on the side of trying to mitigate against identify theft, to err on the side of ensuring that there is better security, and by lowering the threshold. We tried to do that a little bit in Bill C-12 and Bill C-29 with the two-step process, so that at least you are made sure that the Privacy Commissioner would be aware of the circumstances where there's a material breach. But in doing away with all of that, I don't think it's just a fear that breaches will occur in Canada. I think these should be expected. And if you asked many Canadians, they would tell you, “Boy, I should have been told about that”. And yet they won't be because companies are going to err rationally, based on the way this law is drafted, on the side of not disclosing it.

March 10th, 2015 / 12:30 p.m.
See context

NDP

Annick Papillon NDP Québec, QC

Thank you very much, Mr. Chair.

Mr. Geist, thank you for being here today.

During a Senate committee meeting, you gave the example of California, which requires the disclosure of any security breach related to unencrypted personal information when there are reasonable grounds to believe that the information was acquired by an unauthorized person.

Could you give us a concrete example to explain the impact that a similar definition might have on the application of Bill S-4?

March 10th, 2015 / 12:30 p.m.
See context

Conservative

Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON

You said there are positive aspects of the measures in Bill S-4.

March 10th, 2015 / 12:30 p.m.
See context

Barrister and Solicitor, As an Individual

Philippa Lawson

Sorry, I'm not sure what you're referring to. Is it something in Bill S-4?

March 10th, 2015 / 12:25 p.m.
See context

Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual

Dr. Michael Geist

No, not a data breach at all. The language used in Bill S-4 is exceptionally broad. It refers to the ability to disclose this information—here, I can try to call it up for you—where it is reasonable for the purposes of investigating a breach of an agreement or a contravention of a law that's either been, has been, or might even be committed, and where it is reasonable to think that if the individual were made aware of that disclosure, it would compromise the investigation.

We're not talking about data breaches here; we're talking about virtually carte blanche voluntary disclosures.

March 10th, 2015 / 12:25 p.m.
See context

Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual

Dr. Michael Geist

No. What I'm referring to is an organization that has my information. There may be instances where they are disclosing it either to law enforcement or to private sector organizations.

In the law enforcement context, if it's a warrant, and post the Spencer decision, it's quite clearly now going to be a warrant, or should be a warrant.

In the private sector what this bill does is to say that we can disclose information on a voluntary basis without a court order and without any sort of court oversight.

I'm saying that, over the last number of years under PIPEDA, we've had cases where organizations have said that they want to identify who those subscribers are because they want to sue them, and there's an instance where they are conducting this investigation or have this legal process. The court examines the circumstances around whether there's an appropriate case to order that disclosure and sets limitations on the disclosures that can occur.

What Bill S-4 does is to expand the prospect of that kind of disclosure on a voluntary basis.

March 10th, 2015 / 12:20 p.m.
See context

NDP

Peggy Nash NDP Parkdale—High Park, ON

I have one other question for you, Ms. Lawson. You talked about the fines today and the fines contained in Bill S-4as the costs of doing business, and you said they're not a serious enough disincentive to any kind of privacy breach.

What do other jurisdictions have? What would be a serious disincentive that would really encourage the private sector to ensure that it is maximizing privacy protection?

March 10th, 2015 / 12:15 p.m.
See context

NDP

Peggy Nash NDP Parkdale—High Park, ON

Okay, super, thank you.

I do want to reiterate the point, through you, Mr. Chair, that the point of view that is being expressed by the witnesses here today, and the concerns that they're expressing about Bill S-4 were in fact offered to the Senate committee, but those changes that were recommended were not reflected in the bill that we see before us today. I'm assuming that's what we're being advised of here.

I think the witnesses are raising serious concerns and the Privacy Commissioner, himself, raised concerns about the scope of this bill.

Ms. Lawson, I want to start with you and ask you specifically about the subjective model proposed here for companies determining if there's been a mandatory data breach, disclosure on that. Can you advise us of your interpretation of what could happen with what's being offered in Bill S-4, and how you would recommend tightening up that provision?

March 10th, 2015 / 12:10 p.m.
See context

Executive Director, BC Freedom of Information and Privacy Association

Vincent Gogolek

I have another quick point, which is that, as I mentioned at the beginning of my prepared remarks, the government has decided to refer the bill to this committee before second reading. Presumably, that is because it is open to amendments beyond the statement of principles of the bill. I find your remarks a little puzzling in terms of the difficulty that could ensue if amendments were to be made. Presumably, the government and the government House leader would have been aware of those difficulties when they in fact took the unusual step of breaking the normal process of things, and referring Bill S-4 to this committee before second reading.

March 10th, 2015 / 12:10 p.m.
See context

Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual

Dr. Michael Geist

Sure. I'll do that. I'd also like to just note a couple of things. The commissioner did not appear before the Senate committee on Bill S-4. Because of the long delays in getting a commissioner appointed at that time, there was no commissioner, but people from that office were in a position to appear because it had been studied. So the commissioner actually didn't appear on Bill S-4.

In terms of lengthy study, with respect, let's be clear. The committee began a review of this bill in November 2006, and by May of 2007 it released its report.

We got first reading of Bill C-29 in May 2010. A second reading took until October. There were never any hearings held on Bill C-29.

The next bill that was introduced was Bill C-12, which was the second attempt at this bill. It sat at second reading for two years without moving forward. There were no committee hearings held on it.

We finally now have Bill S-4, on which there were two sets of hearings. Four days were allocated to this piece of legislation within the Senate: one day for the minister to appear; another day for clause-by-clause; two days for hearings. So if we're going to talk to witnesses about not having appeared, frankly, there were very, very few witnesses who had the opportunity to appear at all. This is, with all respect, not a well-studied bill. It is a bill that has now come through three times, and in most instances there has been no study whatsoever. When the Senate had the chance to hear on this bill, there was not even a privacy commissioner in place to deal with it, due to the long delay in finding a new commissioner to replace Commissioner Stoddart and later acting commissioner Chantal Bernier.

With respect to the commissioner's support, yes, I too can cherry-pick particular comments from the Privacy Commissioner about where the commissioner supports the legislation, but I can also note that the commissioner's office has been consistent in saying that it finds it problematic with respect to voluntary disclosure, and yet that hasn't changed, and in identifying a number of other improvements.

So the question is this. Is this a well-studied bill that we ought to get on with? With respect, it is both not well studied and ought to be fixed. Canadians deserve better.

March 10th, 2015 / 12:05 p.m.
See context

Conservative

Mark Warawa Conservative Langley, BC

Okay.

Chair, I think it would have been very helpful if these points had been made at both the Senate and the House.

My question relates to a presentation made by the commissioner. The commissioner made a presentation not quite a year ago, in June of last year, before the Senate committee as they were dealing with Bill S-4, and then appeared before this committee on February 17.

I just want to read the summary of the commissioner. The commissioner does have new tools and greater flexibility to enforce PIPEDA. The commissioner said:

Overall, the introduction of Bill S-4 is a positive development for privacy protection in Canada. PIPEDA was written in the 20th century. It is more than a decade old. From a privacy perspective, the world has changed dramatically during this relatively short time. Passing Bill S-4 with a few adjustments will strengthen PIPEDA and help the Office of the Privacy Commissioner better protect Canadians while addressing the emerging privacy issues of the 21st century.

Also unable to be with us today, Chair, is the Insurance Bureau of Canada. They provided a submission to the Senate when this was dealt with last year and they've communicated their support for aspects of the bill, particularly the fraud prevention measures.

Generally, the committee has heard support for this, and it's important that we provide the protection Canadians want. Bill S-4 does that.

Do any of the witnesses here today have a critique of the commissioner's perspective in supporting Bill S-4 going ahead?

March 10th, 2015 / noon
See context

Conservative

Mark Warawa Conservative Langley, BC

Thank you, Chair.

Thank you to the witnesses here today.

I think each of the witnesses is aware that there have been hearings back to 2006, which I think Mr. Geist referred to.

PIPEDA was written in the 20th century. It's over a decade old and it needs to be improved. This is what Bill S-4 attempts to do.

Also, it is almost impossible to get unanimous support for any piece of legislation, so I think there has been a lot of energy that's gone into improving PIPEDA. Canadians want companies to tell them if their personal information has been lost or stolen and if they've been put at risk. I think that consent needs to be appropriate, particularly for target groups like children.

Dr. Geist, you've been involved with providing input to the Senate. You were involved in the hearings back in 2006.

My question is for Mr. Gogolek. When the Senate dealt with this at committee a year ago—not quite a year ago, but when the hearings at the committee in the Senate were beginning on Bill S-4, did you appear as a witness? As you're aware, any legislative changes have to be supported in both Houses, and Bill S-4 began in the Senate and is now in the House of Commons. Were you a witness when this was dealt with at the Senate?

March 10th, 2015 / 11:55 a.m.
See context

Liberal

Judy Sgro Liberal York West, ON

Thank you.

That's the area that I am most concerned about. Every time we pick up our BlackBerry or whatever gadgets we have, I agree that we don't read it. I would suggest that very few people read any of that. It's just an automatic check. It's a nuisance, and we just agree to it—until we find out that we have no protection, or very little protection. I think that's what we are trying to do here: to look at how to protect the consumer.

I attended a conference on cybersecurity yesterday. Certainly the issues that were raised there about security, whether you're talking about the Internet and so on, somehow make Bill S-4 look like it's still nowhere near what it should be, or the kind of legislation we need to be putting forward to better protect Canadians. I think it's unrealistic, frankly, to think that with this legislation companies are going to be reporting all of these breaches and so on. I think they'll ignore it. I think a $100,000 penalty is insufficient for a significant breach, based on the kinds of things we're learning through this process.

Certainly, Dr. Geist, your comments about transparency and disclosure would go toward improving it, as far as the real risk that consumers are facing is concerned, before they get into things like identity theft and violation of their basic rights. I don't want all my information shared with every Tom, Dick, and Harry who wants it. If we are going along with Bill S-4—and, from my party's perspective, I'm not sure that we are, but at least we're trying to make some improvements—what else would you suggest we need to put in here to make it stronger and more enforceable? I would ask that of all three, given my timelines here.