Bill S-4 (Historical)

Given the complexity of the vocabulary used, I will answer in English if I may.

I agree with what Professor Geist has just said. The federal Privacy Commissioner has noted that there are difficulties with Bill S-4 as a result of the Spencer decision. Our commissioner in British Columbia has as well. Commissioner Denham has been calling for tightening of our legislation “without consent to cases where the disclosure is “necessary” for purposes related to an investigation or proceeding.” At the same time that the current version of Bill S-4 is taking one approach, one of the substantially similar provinces—one of the committees—is heading in the opposite direction as a result of their understanding and interpretation of the Spencer decision. As Professor Geist said, the drafters of Bill S-4 didn't have the advantage of Spencer. We do today. We know what the Supreme Court of Canada said about this. I think we have to take this into account.

Thank you very much.

Good morning, committee members. Thank you for the opportunity to address you on the matter of Bill S-4, which proposes amendments to PIPEDA.

My involvement with this legislation goes back to its genesis with the CSA model privacy code and the subsequent initiatives to legislate voluntary standards. As a lawyer with the Public Interest Advocacy Centre at the time, I was a public interest representative on the committee that drafted the code. I later advocated for legislation that eventually took the form of PIPEDA.

I have been closely involved with PIPEDA ever since, first in my role as a consumer advocate with PIAC and later as director of CIPPIC, both of whom I understand you have already heard from. In particular, I have conducted studies of private sector compliance with PIPEDA. I have lodged a number of PIPEDA complaints with the Privacy Commissioner. I have taken the Privacy Commissioner to court in order to establish that she had jurisdiction to enforce PIPEDA against foreign corporations acting in Canada. I published a study of security breach notification laws in 2007. I've been urging the government to adopt mandatory security breach notification laws since 2003.

Today I am speaking on my own behalf as a lawyer and privacy advocate. The last formal submissions I made on PIPEDA reform were in 2008 in my role as director of CIPPIC. Those submissions focused on three issues: security breach notification, protection of minors, and compliance and enforcement. The analysis and proposals made in those comments remain apt today, and I would be happy to provide copies of that submission to anyone who is interested.

I'm happy to see that the government has seen fit to address all three of these issues in Bill S-4, but I am disappointed that the measures in each case fall far short of what is needed. I will address each of these three topics briefly, but before doing so I would like to address an elephant in the room. That elephant is consent.

There is a pretense that companies are obtaining informed consent from customers to the collection, use, and sharing of their personal data. But anyone who takes the time to study what is actually going on will quickly see that this is, to a large extent, a fiction and that meaningful consent is rarely obtained from consumers.

Negative option consent is commonly used but rarely brought to the attention of customers. Consent is in fact often assumed simply by virtue of use of the service. Changes to privacy policies are simply posted on the company website and customers are expected to inform themselves. No one really expects individuals to read through lengthy, complex terms of service for every transaction. People simply don't have the time. If they do take the time to read the terms, they may find that they are notionally consenting to have their personal data used for purposes such as—and I'm quoting here from privacy policies that I've looked at—research, marketing, product development, and business purposes. In further violation of PIPEDA, many companies are refusing to deal with customers who won't agree to unnecessary uses of their personal data, such as marketing.

A reality check is needed on what is happening in the marketplace with so-called customer consent. In the meantime, proposed section 6.1 is a helpful qualification on what the law already requires. It may have some positive effect on what is, in my respectful submission, a widespread disgrace.

However, the current wording of proposed section 6.1 could actually have a perverse effect on the protection of children or seniors. If you read the clause, you will see that it fails to protect vulnerable populations to whom an organization's activities are not directed. All that a company needs to do to exploit children is to direct its activities to adults and then turn a blind eye to the fact that children are signing up. A simple fix is to revert to the earlier wording of this clause found in Bill C-12. However, if if the aim is to protect children, a much more effective approach is simply to prohibit certain uses of personal data about children.

I have a few words on breach notification. This is long overdue, and it will certainly be an improvement on the current situation. But are the proposed rules going to be effective? Breach notification is about more than notifying individuals. An equally important goal is to create incentives for organizations to put in place strong security safeguards.

In order to create such incentives, there needs to be a real risk of significant financial harm to a corporation from failing to put in place adequate security measures. This is the test you should be applying to your assessment of the proposed breach notification regime: is there a real risk of significant financial harm to corporations from non-compliance?

I am not convinced there is. Fines apply only to failure to report or failure to keep records and require cumbersome proceedings and proof of intent. Civil lawsuits are too costly to make sense in most cases, and the Privacy Commissioner may be dissuaded from using publicity for this purpose as a result of subsection 20(1.1), which prohibits disclosure of breach notification reports. I do not understand that section.

Until there are real financial incentives for corporations to take appropriate measures to prevent breaches from happening in the first place, and to otherwise comply with privacy laws, non-compliance with PIPEDA will continue to be a cost of doing business in Canada.

I'd like to finish with a few comments on private investigations. I am very concerned that, if the proposed changes to the current investigative body regime exception go through, this bill will actually set back privacy protection in Canada.

I will not repeat the able submissions of my colleague Dr. Geist on this subject, but let me just point out that in the new world of cheap data storage and powerful data analytics, the only limits on how far companies will go in their efforts to detect fraud, criticism, or contractual breaches will be what you put in this law. With today’s technology, it’s less costly to gather more data and to apply analytical tools to a large database than it is to restrict the intake of data to that needed in the first place.

In this context, insurance companies and other companies will, no doubt, argue that it's reasonable for them to conduct what amounts to broad and deep surveillance of their customers in order to detect fraud.

Paragraph 7(3)(d.2) would allow just that. It requires no formal investigation. The disclosure just needs to be reasonable, not even necessary as in the previous formulation in Bill C-12. This provision would open the door to routine sharing of personal data among organizations based on nothing more than the always present risk of fraud. Moreover, there would be no transparency or accountability requirements. It would be a major setback for consumer privacy.

I understand that this amendment was based on the Alberta model, but I looked at the Alberta model, and subsection 20(n) of the Alberta statute is not as permissive as this. It actually limits sharing to certain kinds of organizations.

I urge you to remove these clauses from the bill and stick with the current investigative body regime. I also urge you to adopt the transparency measures that my colleague Dr. Geist recommended.

Thank you very much.

Thank you, Mr. Chair.

Good morning. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I've appeared before this committee on a number of occasions on digital policy issues, including privacy, and I appear today, as always, in a personal capacity representing only my own views.

Actually I previously appeared before the Senate committee that was studying Bill S-4 and my remarks then focused on three broad issues.

First, I offered my support for several important provisions in the bill, particularly the additional clarification on the standard of consent, the extension of the deadline to take cases to the Federal Court, and the expansion of the powers of the Privacy Commissioner to publicly disclose information related to findings or other matters. Second, I identified issues that I think need amendment or improvement: the security breach disclosure rules, particularly the abandonment of a two-step disclosure process that was found in some earlier bills; the compliance agreements provisions, which I think could be strengthened with penalties or order-making power; and the expansion of voluntary disclosure of personal information between private sector organizations. Third, I talked about some missing provisions, namely, what I think is the need for mandatory transparency reporting.

My time this morning is limited, so I'm going to delve deeper into just two issues, the voluntary disclosure provision and transparency reporting.

On voluntary disclosure, as you know, Bill S-4 expands the possibility of personal information disclosure without consent or court oversight to anyone, not just law enforcement. As you know, the bill features a provision granting organizations the right to voluntarily disclose personal information without the knowledge or consent of the affected individual and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation, or even the prospect of a future violation.

This broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval. I believe this runs counter to the court decisions that we've seen from the Federal Court, which have sought to establish clear limits and oversight over such disclosures as well as the spirit of the Supreme Court of Canada's Spencer decision, which ruled that Canadians have a reasonable expectation of privacy with such information. In fact, if we examine the leading cases involving disclosure of customer information in private litigation—not to law enforcement but in private litigation—such as in Warman v. Fournier, BMG v. Doe, Voltage v. Doe—virtually all emphasized the need for safeguards before customer information is disclosed, even as part of an investigation.

A House of Commons committee did recommend a similar reform in 2006, but that recommendation was rejected at the time, both by the Conservative government and the Privacy Commissioner of Canada.

I recognize that some have suggested that both Alberta and B.C. have similar provisions and that no harm has resulted from their approach. I'm not so sure. I don't think anyone can reasonably conclude that the provincial approach has not resulted in privacy risks or harms. It's important to bear in mind that the disclosure itself is not necessarily revealed to the affected individual. Indeed, the point is often to disclose without knowledge or consent, meaning the affected individual will not know that their personal information has been disclosed. Asking for evidence of harm when the harmful conduct is kept secret from those who are affected creates an impossible evidentiary burden. In fact, even if you believe that the disclosures might come to light through court processes should it reach that point, and we know that oftentimes the disclosures won't ever reach the point of a court case, provincial privacy law such as we find in Alberta and B.C. rarely involves having these kinds of cases come to light. It's no coincidence that the leading cases involving personal information involve PIPEDA, because those cases typically involved telecom companies, Internet service providers, websites, and banks, all largely governed through PIPEDA.

In other words, the existence of this kind of provision at the provincial level actually tells us very little about how it will be used under PIPEDA. The reform here, I think, is clear. There is no compelling need for a change. The current system has been in place for many years and there are dozens of organizations that are covered by the investigative bodies exception. It may have been a bit of a hassle 10 years ago, but now the reform makes little sense. Further, if there are specific industries that can point to concerns, I think those can be addressed through a narrow amendment, but the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed.

Second is the need for transparency reporting. The lack of transparency in reporting requirements associated with personal information disclosures, I think, is a glaring omission from the bill. The revelations last year of over a million requests and over 750,000 disclosures of personal information in a single year, the majority of which happened without court oversight or a warrant, point to, I think, an enormously troubling weakness in Canada's privacy laws.

More recently, the Privacy Commissioner of Canada tried to conduct an audit of RCMP requests for subscriber information and was largely forced to abandon the audit when the data there were found to be inaccurate and incomplete.

Now, there are some companies, such as Rodgers and Telus, that have begun to issue transparency reports, but there are others, most notably Bell, that have not. Most Canadians have simply no awareness that this is taking place. This deficiency can be addressed, I think, through two reforms.

First, the law should require organizations to publicly report on the number of disclosures they make without knowledge or consent and without judicial warrants. This information should be disclosed in aggregate on a quarterly basis—every 90 days. I'm not talking about disclosing it to each individual immediately; we're talking about its being on an aggregate basis and a quarterly basis.

Second, those organizations should be at some point in time required to notify affected individuals within a reasonable time. Leave aside the necessity to keep it secret, if necessary as part of an investigation; once it is concluded or a reasonable amount of time has passed, either get a court order to continue the secrecy or disclose the disclosure to the affected individual.

The adoption of those kinds of provisions—transparency reporting and that disclosure—would, I think, be an important step forward in providing Canadians with greater transparency about the use and disclosure of their personal information.

I welcome your questions.

I did hear the testimony earlier this week where that came up. Maybe I can give you a really quick example of it.

Take a call centre context, where someone calls in and says, “I received the bill of my neighbour at my home.” What would happen in that context is that the call centre representative would say, “Oh, that's horrible. We'll send you an envelope; can you please send the bill back to us?” Then the call centre representative would reach out to the other customer and say, “We're very sorry, but your neighbour received your bill. We apologize.” They would then make amends.

That situation is technically a breach of security safeguards, because the wrong bill went to the wrong customer. It's a one-off. It's not insignificant to those two customers, but it's insignificant in the grand scheme of when you think about breach notifications. The way Bill S-4 is worded today, it would require us—by “us” I mean any industry or organization subject to PIPEDA—to develop a system to log that somehow. It's taken care of. It's managed. It's handled. But it would have to be logged somehow, through a different system. Otherwise the organization is subject to new offence provisions, which are very serious. The breach notification offences are quite serious in the record-keeping—

Clearly, our position is different. We don't think amendments need to be proposed for PIPEDA or Bill S-4. The Supreme Court did its homework, which was to interpret one provision in an existing piece of legislation. We therefore don't think amendments need to be made.

From the CBA's perspective, we totally understand the movement from investigative bodies to the regime that's proposed in Bill S-4, which is similar to B.C. and Alberta, as you just stated. Because of the concern we had been hearing in the media and others, when you read the words on the page, we thought that maybe there's an opportunity just to rein it in a little bit, so we proposed very targeted amendments to more reflect what actually happens in practice today under investigative bodies. It was more in keeping with the environment of the time, I think, that those recommendations are being proposed.

Actually, in a way I would echo Mr. Lawford. In particular, as regards breaches, there has been extensive voluntary compliance because industry does actually see their security safeguard obligations requiring notification to individuals. Maybe the only little piece that Bill S-4 brings is the reporting to the OPC, but that's actually happening on a voluntary basis because of the excellent guidelines that the OPC has issued.

Thank you very much, Mr. Chair.

Honourable members, my name is John Lawford. I'm the executive director and general counsel of the Public Interest Advocacy Centre, a national non-profit, federally incorporated organization founded in 1976 that provides legal and research services on behalf of consumer interests, and in particular, vulnerable consumer interests.

Due to the time I'm going to be speaking today solely to the breach notification amendments. However, I'll be happy to take questions on other aspects of the bill.

PIAC believes that the goal of an effective data breach notification law is to actually notify individuals of the loss, unauthorized access, or theft of their personal information from an organization whenever it is possible for the individual to take steps to avoid financial, reputational, or other harms, or to minimize these impacts. In our view this goal can be accomplished in a manner that also removes conflicts of interest in reporting breaches; reduces compliance cost and risk for business, in particular small business; generates data for better policy outcomes; engages, improves, and leverages the expertise of the Office of the Privacy Commissioner, OPC, in dealing with breaches; and encourages business and consumers to make investments in data security.

Unfortunately, Bill S-4, as written, will very likely result in fewer reported breaches than even now and operate in an opposite manner. Namely, it will create a culture of fear, recrimination, and non-reporting. Bill S-4, incentivizes not reporting data breaches by leaving the determination of whether a breach creates a real risk of significant harm to an individual totally in the hands of the organization that suffers the breach. This obvious conflict of interest is fatal to the purpose of the bill as there is no advantage to a company to report and every advantage to hide a data breach.

The conflict of interest in having a company assess whether an individual faces a real risk of significant harm from a data breach is one that will be settled in close cases and some more egregious ones by the company concluding there is no such risk. Such an assessment avoids the cost, reputational damage, and inconvenience faced by the company. It also avoids putting the company on the radar of the OPC for an audit or an investigation.

While it's true the company does face prosecution under the amended section 28 of PIPEDA and a possible fine up to $100,000, perhaps even per record, that offence is premised on not reporting a breach knowingly. Any organization that sets up even the most basic process to come to a conclusion that a breach was not a real risk of significant harm would have a very strong defence. This flaw is exacerbated by the bill's requirement to report all breaches regarding a real risk of significant harm simultaneously and relatively instantly to the OPC, whose role is purely observational, to affected individuals and to unspecified third parties who may be able to help. Which individuals to notify will be determined solely by the company involved, which will be dealing with the chaos of several reporting requirements that frankly make little sense as structured. The incentive again will be to keep the reporting to individuals to as few in number as possible. Contrast this with our vision of how Bill S-4 could work.

Step one, replace the initial reporting to all parties on the real risk of serious harm test for the requirement to immediately report material security breaches involving personal information to the OPC only. In Bill C-12 of the previous parliament, in that version, proposed section 10.1, did this very well with one exception. We would recommend removal of the systemic problem assessment, which the bill required and which also led to the disincenting of reporting.

Step two, leave the decision of whether to order—and yes, I said order—a company to report a data breach to individuals to the OPC. The company would have no say in the matter. The OPC would be an impartial third party arbiter of whether a breach was a real risk of significant harm to affected individuals. The OPC would gain experience, expertise, and authority in assessing breaches. The OPC decisions would be made public, meaning Canadians would finally know which companies had breaches, because this is presently not known for all breaches under the voluntary breach notifications referred to and the private conversations that we know the Office of the Privacy Commissioner has with companies.

Finally, the gathering of security failings generates data that could lead to better policy outcomes based on encouraging companies to invest in improved data security.

This approach would also benefit business, especially small business. With the OPC making the individual notification call, the business would be relieved of the compliance costs in hiring consultants to manage its data breach response, as the OPC would specify when, how, and how much notification was required. It would virtually eliminate the risk of civil liability for data breaches. The OPC could provide extensive breach notification guidance and materials to ease the reporting process for business in dealing with the stress of a breach.

This committee could save time and effort in designing step two by essentially copying the relevant section of Alberta's Personal Information Protection Act, namely section 37.1 of that act.

Finally, a rewrite of Bill S-4, as suggested, should encourage both business and consumers to take personal information security and the response to it more seriously. For business, a step-one requirement to report security breaches to the OPC would drive investments to improve systems in order to avoid having to report breaches. For consumers, a step-two notification could be treated as authoritative, serious, and OPC-approved assurance of impartiality, and spur consumers to take action to appropriately deal with breach notification and, finally, to reflect their judgment of the information-handling practices of the business to those businesses.

Thank you very much. I await your questions.