Bill S-4 (Historical)

We have done that in the form of guidance to organizations, asking organizations to use plainer language when they seek consent. That's obviously only an incomplete answer, but at the end of the day, it is organizations that know the service they are providing and know what kind of information they need, so they're in the best place to inform consumers and individuals. We're urging them to use as plain language as possible.

That being said, consent is a huge concern. We think that Bill S-4 is a step in the right direction with the clarification to the definition found in it. But as I indicated before, we're consulting stakeholders on what our priorities should be for the next several years on how best to improve the situation for individuals. The consent that they provide will almost certainly be among our priorities.

I would say that we have worked on complaints involving children, and we have been able to set certain parameters for how to obtain consent when the services provided by the organization are of interest to children, so it's not that we are currently without any tools to ensure the ability of consent generally and for children specifically.

That being said, I think it is useful to provide, to have the clarification that Bill S-4 proposes to have so that organizations see clearly from the definition of consent in what would be the new provision of PIPEDA, that they have to think about the clientele to which they're offering products and services. This probably is happening to some extent. Certainly it's happening to some extent for organizations, but it may not be happening for all organizations, and to have this clearly in legislation, that you must think about your clientele, I think would be useful.

Is it that are we without tools currently? No, but it would be useful to have this addition.

We could spend a whole day on this issue of consent. Obviously, whether people provide consent with all knowledge of the consequences of their giving consent is a huge issue, and in many, many cases consumers, individuals, do not realize what they are consenting to. There's no question about that.

How does one ameliorate the situation? We think education is a big part of it. Guidance from the office is a big part of it for organizations and individuals. Is it possible to legislate this? The proposed definition of consent in Bill S-4 I think is a useful addition, but obviously you cannot prescribe all the potential situations where consent will be sought in the marketplace, so legislation has its limits. I think with the clarification that Bill S-4 provides, it is a useful clarification of what consent is, and it has the potential of improving the situation for the issue of consent sought from children, because the definition in Bill S-4 requires organizations to put themselves in the shoes of the individual whose consent is being sought: what does the individual understand? So, when the individual is a child, if your product is addressed to children, you should think about what is reasonable to expect of a child in understanding the consent being sought. Overall, I think, again, the definition of consent in Bill S-4 will assist generally and will assist particularly groups that are more vulnerable, like children.

The first point I would make is that we can devise a breach notification regime in any number of ways. The one that you have in front of you is a good compromise. It's reasonable. Is there a better system conceivable? Probably. What I would ask you to do is to adopt that regime because the main point is we need mandatory breach notification.

Is it appropriate to leave organizations with the duty or the discretion to notify or not? In practical terms, we see that in Alberta, which has a similar scheme, but also federally with the voluntary breach notification that we've enforced for the past few years, organizations by and large do not under-report. They over-report. They want to report borderline cases because they don't want to be seen as under-reporting. Moreover, in Bill S-4, there will be penalties for those who under-report. Again, is this the best regime possible? Maybe, maybe not. I think it's reasonable overall and should be adopted.

I reiterate what I answered to Madam Nash, namely, yes, C-13 and S-4 on the issue of warrantless access to information create challenges and issues.

The decision of the Supreme Court in Regina v. Spencer is extremely useful and sets good parameters. I think it would be useful to go a step further and to further clarify lawful authority with a combination of the decision of the Supreme Court in Spencer plus a clarification of the circumstances where government can collect without warrant when there's no reasonable expectation of privacy. I think that would be a reasonable regime.

It's for two reasons, essentially.

Point one, I totally agree that there needs to be provision in PIPEDA allowing organizations to address the issue of fraud or breaches of agreements that they may face. The question is how to do it. The current regime, I think, is preferable to what is proposed in Bill S-4 in that, first, it does not allow for fishing expeditions, so that the threshold for the suspicion an organization has that there might be fraud involved is at a higher level, which I think is preferable. Second, the investigative body regime calls for transparency and publicity—we know what the investigative bodies are—as opposed to the proposed modifications whereby any organization could share information with any other organization, so that there would be less transparency, as well as room ultimately for fishing expeditions.

Thank you, Mr. Chair. Good morning, members of the committee.

Thank you for the invitation to present our views on Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act.

With me today are Patricia Kosseim, senior general counsel, and Carman Baggaley, senior policy analyst.

Ms. Kosseim and Mr. Baggaley appeared before the Standing Senate Committee on Transport and Communications on Bill S-4, shortly before my appointment as Privacy Commissioner was confirmed. My views on Bill S-4 are largely in line with the office's position as presented at that time.

I will however be addressing in more detail the proposed amendment that allows organizations to disclose personal information to other organizations without consent. I will also discuss paragraph 7(3)(c.1) disclosures in light of the Supreme Court's Spencer decision.

Let me first say that I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill.

Proposals such as breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians in their dealings with private sector companies.

Mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information. I support the risk-based approach that will require organizations to assess the seriousness of each incident and its impact on affected individuals.

I believe that the organization experiencing the breach is in the best position to assess risk and decide whether notification of individuals is warranted. Requiring organizations to keep a record of breaches and provide a copy to my office upon request will give my office an important oversight function with respect to how organizations are complying with the requirement to notify.

The proposed voluntary compliance agreements will enhance my office's ability to ensure, in a timely and cost-effective manner, that organizations are meeting their commitments to improve their privacy practices without having to resort to costly litigation before the Federal Court in conditionally resolved cases.

As for the proposed provision that aims to enhance the concept of valid consent, I believe that this is a useful clarification of what constitutes meaningful consent under PIPEDA. It underscores the need for organizations to clearly specify what personal information they're collecting and why in a manner that is suited to the target audience.

While I support many of the amendments proposed in this bill, I nevertheless have strong reservations about proposed paragraphs 7(3)(d.1) and (d.2). These proposed provisions would allow an organization to disclose personal information without consent to another organization in certain circumstances. My concerns are twofold.

First, I believe that the investigative body regime as it currently exists in PIPEDA and which paragraph 7(3)(d.1) and (d.2) seek to replace provides important transparency and accountability safeguards that will disappear with the proposed amendments.

Currently under PIPEDA, organizations can disclose personal information without consent to investigative bodies designated through a transparent governor in council process. The list of organizations with investigative body status is publicly available. Under the proposed amendments, potentially any organization will be able to collect or disclose personal information for a broad range of purposes without any mechanism to identify which organizations are collecting or disclosing the information and why.

Furthermore, the proposed provisions seek to dilute the thresholds and grounds for disclosure that currently exist under the current investigative body regime in paragraph 7(3)(d). I would prefer to maintain the existing investigative body regime. However, if that is not possible, then I would recommend keeping the existing PIPEDA thresholds found in paragraph 7(3)(d) and grounding disclosures in real problems rather than fishing expeditions.

This would mean three things: first, the threshold under paragraph 7(3)(d.1) should be based on a “reasonable grounds to believe” that the information relates to an actual breach or contravention; second, the threshold under paragraph 7(3)(d.2) should be based on a “reasonable grounds to believe” that the information relates to the detection or suppression of fraud that “has been, is being or is about to be committed”; and third, disclosures under paragraphs 7(3)(d.1) and 7(3)(d.2) should only be permitted on the initiative of the disclosing organization.

In addition a mechanism for enhancing transparency and accountability around these disclosures would be needed. For example, disclosing organizations could be required to issue transparency reports and to document the analyses undertaken in deciding to disclose under these provisions.

Finally, I would like to address the Spencer decision and how I believe it impacts paragraph 7(3)(c.1 ) of PIPEDA.

ln the Spencer decision, the Supreme Court held that police need a warrant or a court order when seeking subscriber information from an organization subject to the act.

ln the court's view, there is a reasonable expectation of privacy in subscriber information connected with online activity and the police request that the organization voluntarily disclose this information constituted a search that violated the Charter. I believe that this decision is a significant step forward in protecting privacy, but it leaves unanswered the question of what types of information attract a reasonable expectation of privacy and the related question of when organizations may voluntarily disclose other types of information in response to a police request.

As a result, organizations are left in a state of uncertainty and ambiguity as to when they may or may not disclose personal information without warrant and it leaves individuals in the dark about when their personal information may be disclosed to state authorities without their consent or prior judicial authorization.

I would therefore urge the committee to recommend putting an end to this state of ambiguity by clarifying when, post-Spencer, the common law policing powers to obtain information without a warrant may still be used. I believe that a legal framework, based on the Spencer decision, is needed to provide clarity and guidance to help organizations comply with PIPEDA and ensure that state authorities respect the Supreme Court of Canada's decision.

More specifically, I would recommend that Parliament provide greater clarity and transparency by amending PIPEDA to define “lawful authority” for the purposes of paragraph 7(3)(c.1) in line with the Supreme Court's decision, that is, where there are exigent circumstances, pursuant to a reasonable law other than paragraph 7(3)(c.1), or in prescribed circumstances where personal information would not attract a reasonable expectation of privacy.

Thank you for your attention. I would be happy to answer any questions you may have.