Thank you, Mr. Chair, and committee members.
My name is Tamir Israel, and I'm a staff lawyer with CIPPIC, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, at the University of Ottawa. CIPPIC works to advance the public interest in policy debates that arise at the intersection of law and technology. We're very grateful for this opportunity to provide our input into Bill S-4, the digital privacy act, which will make some important changes to PIPEDA, Canada's federal commercial sector privacy law.
Concern over privacy and lack of trust in organization practices remain an ongoing concern for a number of Canadians. A recent survey commissioned by the Privacy Commissioner found, for example, that over 75% of Canadians have avoided the use of a mobile application because of the information requested, and close to 60% have turned off location tracking functionality on their mobile devices out of concern that others will access the information. These types of statistics are telling, and they show that Canadians remain concerned, and are acting on their concerns, when engaging with digital content.
Even as concerns grow, avoiding privacy-invasive practices becomes increasingly difficult. Every device, from our mobile phone to our car to our television at home, is now a cause of concern for those wishing to maintain a sphere of privacy. The task of keeping up with the multitude of settings and privacy policies on all of these is time-consuming, and increasingly out of reach for many segments of the digital population.
Against this backdrop, Bill S-4 introduces some much-needed improvements to PIPEDA, while at the same time raising some concerns. We're particularly pleased to see the inclusion of compliance agreements and an extended appeal period, as those take some important initial steps towards resolving long-standing problems with PIPEDA's complaint mechanism. We hope that additional changes will be considered at the next statutory review of the bill, which is coming up in the next couple of years. We particularly point to long-standing problems with the lack of proactive compliance incentives as something that we think still needs to be addressed.
With respect to Bill S-4, I'd like to address three parts of the bill very briefly: the new consent requirement, breach notification regime, and some of the information sharing exceptions.
Clause 5 of Bill S-4 will enact proposed section 6.1 of PIPEDA, which seeks to strengthen the consent obligations so that individuals will be aware of the nature, purpose, and consequences of the activities that an organization seeks to carry out with their data. In general, this will mean that where an organization targets or becomes aware that it's dealing with vulnerable individuals such as youths, additional steps to ensure that its privacy practices are understood will have to be taken.
If dealing with young children, it may not be possible at all to make the young children themselves aware of the consequences of their actions, and verifiable parental consent might be required. This is in line with industry practices for minor-specific sites that interact with very young children. There are already legal obligations in some jurisdictions, such as in the United States, under COPPA.
The consent provision will also have a positive impact in other contexts. Strengthening the obligation of organizations to ensure that customers are aware of the nature and consequences of data practices will help individuals make more informed privacy choices in general.
We're a little concerned that recent changes to the bill over its predecessor may shift the focus of the provision to individuals whom the activities are directed at, as opposed to specific individuals whom the organization is dealing with. We're concerned in particular that one common practice would, for example, put in a privacy policy that no children under 13 are permitted on the service; then, when they become aware that large numbers of children under 13 are using the service, the way the consent is phrased might be taken to preclude the additional obligations that should normally apply in that context.
With respect to Bill S-4's breach notification obligation, we're very grateful to see this notification obligation coming into force. It's much delayed and needed. The breach notification obligations have become a standard for 47 states throughout the U.S., and the White House recently announced a federal breach notification bill.
The breach notification regime that Bill S-4 would enact requires that individuals and the Privacy Commissioner be notified where a breach of security safeguards creates a real risk of significant harm. As are my colleagues from the Canadian Bar Association, we're concerned that the standard for notifying the Privacy Commissioner is too high. Additionally our experience has been that it's very useful to have notification directly to the Privacy Commissioner of a majority of breaches for tracking purposes and to generally improve incentives to adopt rigorous technical safeguards.
Even a breach of safeguards that does not lead to the risk of significant harm can be indicative of a general laxity in technical safeguards that should be addressed. We think it's good to have a notification requirement to the Privacy Commissioner that's more comprehensive even where there's no real risk of significant harm to specific individuals.
We're very grateful to see a penalty regime for instances where the breach notification obligations are knowingly ignored. We think that at least over time it would be good to improve this into a more generalized administrative monetary penalty regime. The fines currently in PIPEDA are designed as penalties for very overt offences. An administered monetary penalty regime would be more fitting as it would be focused on securing compliance. That gives businesses more leeway where innocent mistakes are made on the one hand and it may have more teeth where repeat offences are made or where there's a need to secure compliance. I think that would help improve the rigour of this bill, this breach notification regime.
I'll speak briefly to the information sharing elements of the bill. We find a number of these problematic. They raise some potential issues particularly on the private sector side, but we also have some concerns on the public sector side as well. Subclause 6(10) of Bill S-4 replaces the current investigative bodies exception, which permits an exhaustive list of non-governmental regulatory bodies such as the Law Society of Upper Canada to receive information relating to an investigation.
The issue that's intended to be addressed is the difficulties inherent in getting listed as an investigative body. New bodies emerge on occasion, the names of existing bodies change, and each time this happens regulations need to be passed. It's an onerous process. We support addressing that issue.
We're a little concerned that the remedy adopted to address that exception may open the door to unwanted information sharing, particularly in the context of intended lawsuits or where a private company wants to investigate the customer of another company. The provisions adopted in Bill S-4 are an improvement over those in Bill C-12 because they limit the situations in which a company can disclose their customers' information to another company to situations where it can reasonably be expected that if the customer were aware it would compromise the investigation or the impending lawsuit.
However, we're still concerned that this will open the door to customer sharing in a context where the courts have said very specifically that there's a specific process for when you're looking to go after an individual with a potential lawsuit. What you should be doing is filing a statement of claim and going through third party discovery processes, which have built-in safeguards for privacy.
We're concerned that this exception will at the very least give some companies the impression that they will be able to disclose their customers' information. We've had some fairly prominent examples of this in Canada. Some ISPs have been asked, in court so far...because the Federal Court of Appeal has said to date that you cannot disclose your company's information to a potential plaintiff without a court order.
Some of these have gone through the court system and they have even been problematic there. Copyright trolls have asked for the identities of thousands of ISP customers. We've seen other examples where this type of thing could be problematic, so we would appreciate clarification that this exception is not intended to facilitate the types of requests that are to facilitate lawsuits in essence.
We also have some brief concerns relating to proposed section 10.2, which is part of the breach notification regime, which obligates companies who are already disclosing to an individual and to the Privacy Commissioner that a breach of security safeguards has occurred. These companies will also be obligated to notify an open-ended list of companies and government bodies that they believe might assist in the reduction of harm.
In principle, this exception is logical. However, we would like to see some more safeguards in this exception.
Part of the issue is that many agencies that deal with security, particularly in the cyber context, are the same agencies that also conduct investigations on a range of other issues, and security can implicate the private data of several thousand if not tens of thousands of individuals. We're concerned that more information than is necessary may get passed along in these exchanges when they occur.
