This bill was last introduced in the 41st Parliament, 2nd Session, which ended in August 2015.
This bill has received Royal Assent and is now law.
This is from the published bill. The Library of Parliament often publishes better independent summaries.
This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things,
(a) specify the elements of valid consent for the collection, use or disclosure of personal information;
(b) permit the disclosure of personal information without the knowledge or consent of an individual for the purposes of
(i) identifying an injured, ill or deceased individual and communicating with their next of kin,
(ii) preventing, detecting or suppressing fraud, or
(iii) protecting victims of financial abuse;
(c) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of an individual, personal information
(i) contained in witness statements related to insurance claims, or
(ii) produced by the individual in the course of their employment, business or profession;
(d) permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions;
(e) permit federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual;
(f) require organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner;
(g) require organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control;
(h) create offences in relation to the contravention of certain obligations respecting breaches of security safeguards;
(i) extend the period within which a complainant may apply to the Federal Court for a hearing on matters related to their complaint;
(j) provide that the Privacy Commissioner may, in certain circumstances, enter into a compliance agreement with an organization to ensure compliance with Part 1 of the Act; and
(k) modify the information that the Privacy Commissioner may make public if he or she considers that it is in the public interest to do so.
All sorts of information on this bill is available at LEGISinfo, an excellent resource from the Library of Parliament. You can also read the full text of the bill.
To answer your question I think the first step is always to ask if there is a warrant. The next step is to ask if there are any limited areas where consent is not required, and there are some very specific areas where that applies. That's the way the digital privacy act works.
I should be clear that this law does not apply to the police. This is a law that applies to the exchange of information from businesses to citizens.
February 5th, 2015 / 12:35 p.m.
Director General, Digital Policy Branch, Department of Industry
For those specific provisions, currently under PIPEDA there's a regime called the investigative body regime. It lists a number of entities that are allowed to do these activities now. The range of entities that are there are, for example, the bank crime prevention organization that works for the bank association. They share information back and forth among banks around people who have been robbing ATMs. They have videos at ATMs. They use and share that information without the thieves' consent so they can identify and do an investigation into the crimes. I've visited them. They share information across the country from different banks on people who are stealing from ATMs or robbing right inside the location. It's that kind of sharing we're talking about in that context.
Under the current investigative body regime there are those kinds of sector organizations. Then there are professional associations, such as professional engineers associations, colleges of physicians and surgeons, and the Law Society of Upper Canada, that do investigations into their own members in assuring that their own members are following the code of conduct for their organizations.
You have a third grouping such as forensic auditors who do that kind of activity on behalf of somebody else.
They share information without consent in the course of investigations. These investigations are generally for other public policy purposes in protecting Canadians from crimes, as in the bank example. That kind of information gets flowed back and forth.
What Parliament recommended in the first review of the act was to take an approach of regulating the activity rather than regulating the specific entities, which is the approach that B.C. and Alberta have taken. Rather than having the prescribed list of organizations that has to be updated—if you change your name, you have to go through regulation to have your name changed in the regulation—they said regulate the type of activities rather than regulate the individual entities and put them all on a list in the back.
That's what S-4 has done. It's taken that investigative bodies regime and split it into these two other sections to go and regulate the type of activity rather than the bodies themselves. That's what Parliament recommended and that's what B.C. and Alberta do now.
Basically, the act and amendments impose obligations of that nature on organizations. Bill S-4 sets out new obligations.
Emmanuel Dubourg Liberal Bourassa, QC
Thank you, Mr. Chair.
I'd like to pick up on the part of Bill S-4 that concerns the transfer of information between the organizations.
I'd like to first say I think it's very commendable to have a bill that seeks to protect the elderly and young people when they are sharing information online. But I am troubled by the total lack of oversight when it comes to public institutions sharing information among one another, including law enforcement agencies. The information is being shared without the individual's consent or any monitoring. There is an absence of any civil liability in that regard.
Don't you think the bill should be amended to address that? The Privacy Commissioner is involved, especially when it's a matter of security, but in other cases, as I just pointed out, the information is being shared without any oversight.
February 5th, 2015 / 12:20 p.m.
Director General, Digital Policy Branch, Department of Industry
If I understand the question on the data breach provisions correctly, with regard to whether it's the private sector making the risk assessment versus the data breaches going specifically to the commissioner and having the commissioner review all the data breaches, in the approach that has been put forward in Bill S-4, the outcomes end up being the same.
When an individual company does an assessment of the risk of the data breach and whether there's going to be harm to the individual, they go through the procedure for figuring out whether they have the risk. Once they've identified that there's going to be a risk of harm, they identify both the individual and the Privacy Commissioner. At the same time, when they've done that assessment and they've reviewed the data breach, if they've found that there is no risk of harm, they're required to maintain a record on those and the commissioner can ask for those records at any time. They could ask the individual company to report all of those records to them at any time. So the commissioner has access to the same types of information and can review all those at any time.
The end result is the same. The commissioner has access to any and all data breach records at any time he wants, whether there's a real risk of significant harm or otherwise.
Annick Papillon NDP Québec, QC
Bill S-4 would require organizations in the private sector to report any loss or breach of personal information. But the criterion on which that mandatory reporting is based is subjective. In fact, the bill allows organizations to determine, themselves, if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
Why didn't the government choose a more objective criterion as the basis for that determination, such as the one proposed in Bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), which was introduced by my colleague?
Mr. Chair, I'll be very short.
I want to talk about two things. One is the basic objectives of the act, and the Minister referred to them. I also want to talk about some of the principles and objectives in terms of the design of the bill, which I think are important to understanding why the bill is the way it is.
Bill S-4 makes four important changes.
First, it requires companies to tell Canadians if their personal information has been lost or stolen, and they've been put at risk as a result.
Second, in the area of consent, it clarifies that actions taken to obtain consent must be appropriate to the target audience. We heard earlier about the particularly vulnerable group of children. In the area of consent it modifies the very limited circumstances—and we would want to stress, very limited—when personal information may be shared without consent in order to balance against other important public policy objectives, for example, if a bank or financial adviser suspects that one of the clients is a victim of financial abuse.
Third, Bill S-4 gives the Privacy Commissioner a range of new tools and greater flexibility to enforce the act.
Fourth, it take steps to reduce the burden on businesses and to allow them to use this information in relation to their ongoing work and due diligence relating to various business transactions.
On the design side—and this is what I think is probably most important as an administrator to bring to your attention—it is really two concepts. I think this came up in the earlier discussion. One is the issue of balance and the other is the issue of principles. This is a bill based on principles.
As we make amendments and look to the future we want to maintain a concept of balance and build upon a principle-based approach that has made PIPEDA successful. These principles are set out in the annex to the original act and include important concepts such as accountability, consent, accuracy, safeguards, and openness.
In light of some of the earlier questions I would stress that openness is a principle that we constantly look to and applies, for example, in the question of the use of information between businesses. Of course it is all about ensuring that citizens have the right to know.
In terms of balance, I'll make a couple of quick points. Ensuring Canadians have the information they need so they can take action to protect their privacy is a priority. Equipping the Privacy Commissioner with the information and tools needed to protect Canadians and increase compliance is a priority. Providing clear rules and a minimal administrative burden on the private sector is a priority. These are not priorities that always mesh and the question of balance comes into play.
In conclusion I want to say that while every country takes a unique approach to addressing privacy—the United States, for example, has a more regulatory-driven approach and the European Union a much more proscriptive approach—we think we have a world-leading approach to the administration of privacy here in Canada and that's reflected in these amendments. We hope to continue to be a leader internationally in this regard.
Thank you, Mr. Chair.
Annick Papillon NDP Québec, QC
Yes, I'm going to continue.
Bill S-4 would give the Privacy Commissioner additional powers to enter into compliance agreements with organizations. In light of the fact that the date of the budget has been postponed numerous times—it won't be before April—has the government committed additional financial and human resources to the commissioner so that he can fulfill his new functions?
You have been in power for nearly 10 years and you are preparing a new budget. Can you assure us that the commissioner will have sufficient financial and human resources to do the job properly?
James Moore Conservative Port Moody—Westwood—Port Coquitlam, BC
It can be reviewed at any time. This committee can choose its own business. You can review it the day after, if you like. The committee can do whatever it wants. But as my deputy points out, this is the third time we've taken a run at this legislation and updating PIPEDA, so there is some urgency.
I was in opposition for two terms and I understand the nature of chastising governments for reasons real and imagined. That's fine, but one of the reasons we took the approach, why it is Bill S-4, and why we tabled it in the Senate first, is that this committee had a very full agenda. Parliament itself had a very full agenda, with a number of high-profile and complex pieces of legislation through the fall session of Parliament, and we wanted to get going on this. We wanted to get forward traction.
Of course, our legislative process requires it to have the support and consent of both houses of our bicameral legislature. We wanted to get it passed and moving forward, keeping in mind that we do have a campaign coming up this fall and House time is precious and limited. We reversed the process for that reason: because we do want this legislation to get passed and we do want it to go forward.
We see it as essential for a number of reasons, including taking full advantage of the digital economy and protecting Canadians online. There is I think a growing anxiety and an expectation amongst Canadians that the government do all it can in order to protect the privacy of Canadians online, not only in terms of the Privacy Act and citizen engagement with the Government of Canada in ensuring that their privacy is protected when they provide their information to the government, but also when they are doing so in the private sector.
It has now passed the Senate after consideration and deliberation, and there are a number of amendments that were debated at committee. This committee of course can fill its schedule and consider this legislation as it wishes, but it certainly is my desire that the bill move forward and be adopted so that we can protect Canadians and give Canadians the confidence they deserve.
Mark Warawa Conservative Langley, BC
Thank you, Minister.
Chair, we will be discussing this in great detail. We'll be calling a number of witnesses. The reality is that in our calendar we have about 15 meetings in the rest of this Parliament. If it's not passed, forwarded to the House and then passed, this will not be going ahead in this Parliament. I believe it's needed. I believe we've heard—and the Senate heard—that this reaches the balance.
Minister, just to reconfirm, there is a review built into Bill S-4. This will be reviewed in five years to see if it's effective and if there are any problems with it. Is that correct?
Mark Warawa Conservative Langley, BC
Thank you, Chair.
Thank you, Minister, for being here.
I think it's very important that we protect the rights and the personal information of Canadian consumers. We realize, with regard to the digital economy and how it's evolved so dramatically over the last few years, that it's important that we address the concerns we hear from Canadians.
With respect, Chair, I hear from the NDP that we should maybe amend what has come to us from the Senate.
Minister, if we were to delay and amend, would Bill S-4 then have to go back to the Senate to get passed? My concern is that this is needed, Canadians want this, and a vast majority of Canadians want this passed, and if we amend it, what's the chance of it passing in this Parliament? It's needed.
John Knubley Deputy Minister, Department of Industry
I think this is an area of important clarification. There may be two sets of points, and I'll ask my colleagues to help me on this.
First, I think we believe, as administrators, that we are not opening the door wider in this regard. What we are actually doing is bringing PIPEDA in line with the practices of other provinces like Alberta and B.C. here. Currently, we apply regulations in these specific areas of non-consent, and we're moving away from that to a series of tests we think are as rigorous as the regulation.
In terms of Bill S-4 itself, there is a series of amendments relating to business contact information and business transaction, for example, businesses in a merger, an acquisition; if it's specifically related to a work product, which requires ongoing business, and consent is not easily arranged; in the area of insurance; and in the area of employee information when termination is involved. All to say these are very specific circumstances where we think there are very legitimate and reasonable grounds for businesses to work with and share information among themselves.
I know, Kelly, you have some further information on this.
James Moore Conservative Port Moody—Westwood—Port Coquitlam, BC
That's a good question.
It's not always easy to figure out. Hence the importance of making sure that, whenever you give your credit card number to a supplier online, you have to read all the fine print, so to speak, because, at the end of the day, you are giving an organization your legitimate consent to share your personal information.
It's vital that, when using technology, consumers be extremely careful with their personal information. For that reason, Bill S-4 has a provision meant to protect young people, because they are the most vulnerable to these kinds of violations.
It's challenging for a government to put in place laws and regulations to protect people in their online communications. We believe this legislation gives the commissioner the powers needed to protect Canadians.
It's an ongoing debate in society and the media, not to mention within families. Whenever a breach of personal information occurs, we have to try to understand what went wrong and adopt new measures to protect individuals.
James Moore Conservative Port Moody—Westwood—Port Coquitlam, BC
That's a good question.
In our view, Bill S-4 clearly defines the obligations organizations and businesses are under in that regard. Once the bill comes into force, if any organizations have questions or need clarification, they can certainly speak to the people in my department or contact the Office of the Privacy Commissioner of Canada.
We introduced this bill to address the need to balance the rights of Canadians and the right to privacy. As I said in answer to Mr. Lake's question, we need to make sure that we are not creating barriers for organizations and businesses wishing to fully participate in the digital economy.
Emmanuel Dubourg Liberal Bourassa, QC
Thank you, Mr. Chair.
Good morning to you, to the minister and his officials, and to all my colleagues around the table.
We are talking about Bill S-4. In today's technological environment, it is indeed important to bring forward measures like these, but it is also important to make sure that personal information is well-protected.
Let's get right into it and look at new section 7(3)(d)(i), which deals with exceptions to consent requirements. It says that the information can be disclosed if the organization "has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed".
How can an organization determine the relevance of the information it is sharing to a federal or provincial contravention, all the while protecting individuals' rights?