Bill S-4 (Historical)

Digital Privacy Act

An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act

This bill was last introduced in the 41st Parliament, 2nd Session, which ended in August 2015.

Status

This bill has received Royal Assent and is now law.

Summary

This is from the published bill. The Library of Parliament often publishes better independent summaries.

This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things,
(a) specify the elements of valid consent for the collection, use or disclosure of personal information;
(b) permit the disclosure of personal information without the knowledge or consent of an individual for the purposes of
(i) identifying an injured, ill or deceased individual and communicating with their next of kin,
(ii) preventing, detecting or suppressing fraud, or
(iii) protecting victims of financial abuse;
(c) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of an individual, personal information
(i) contained in witness statements related to insurance claims, or
(ii) produced by the individual in the course of their employment, business or profession;
(d) permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions;
(e) permit federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual;
(f) require organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner;
(g) require organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control;
(h) create offences in relation to the contravention of certain obligations respecting breaches of security safeguards;
(i) extend the period within which a complainant may apply to the Federal Court for a hearing on matters related to their complaint;
(j) provide that the Privacy Commissioner may, in certain circumstances, enter into a compliance agreement with an organization to ensure compliance with Part 1 of the Act; and
(k) modify the information that the Privacy Commissioner may make public if he or she considers that it is in the public interest to do so.

Elsewhere

All sorts of information on this bill is available at LEGISinfo, an excellent resource from the Library of Parliament. You can also read the full text of the bill.

Votes

June 18, 2015 Passed That the Bill be now read a third time and do pass.

June 18, 2015 Failed That the motion be amended by deleting all the words after the word “That” and substituting the following: “this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it: ( a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected; ( b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies; ( c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances; ( d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and ( e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”.

June 2, 2015 Passed That Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, as amended, be concurred in at report stage and read a second time.

June 2, 2015 Failed

May 28, 2015 Passed That, in relation to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, not more than one further sitting day shall be allotted to consideration at the report stage and second reading stage of the Bill and one sitting day shall be allotted to consideration at the third reading stage of the Bill; and That, 15 minutes before the expiry of the time provided for Government Orders on the day allotted to the consideration at the report stage and second reading stage of the said Bill and on the day allotted to consideration at the third reading stage of the said Bill, any proceedings before the House shall be interrupted, if required for the purpose of this Order, and, in turn, every question necessary for the disposal of the stage of the Bill then under consideration shall be put forthwith and successively, without further debate or amendment.

April 21st, 2015 / 11:30 a.m.
See context

Green

Bruce Hyer Green Thunder Bay—Superior North, ON

Mr. Chair, these amendments deal with deleting the lines regarding new warrantless disclosure provisions that go from company to company. As they're drafted in Bill S-4, companies will be able to share the general public's information without our knowledge or consent. Privacy experts are most concerned about this aspect of Bill S-4.

There has been a surge of recent cases of what some people call “copyright trolling”; in other words, companies sending extensive legal letters to customers threatening huge fines for downloading movies that people have never heard of.

As it stands, Bill S-4 would allow involved service providers to offer this information to anyone without the consent of the individual. Therefore, we feel that warrantless, non-notified voluntary disclosures should be removed from the bill.

April 21st, 2015 / 11:25 a.m.
See context

Director, Privacy and Data Protection Policy Directorate, Department of Industry

John Clare

Thank you, Mr. Chair.

This is a recurring theme through about four of these amendments of replacing the standard as proposed in Bill S-4, which is that the investigation or the fraud prevention activities would need to be reasonable for those purposes, with the standard of the organization having to have reasonable grounds to believe that something had happened warranting an investigation, or that fraud had occurred warranting the fraud detection, suppression, or prevention activities.

The second part deals with the last part of the test as proposed in Bill S-4, which says it would be reasonable to expect that disclosure with the knowledge and consent of the individual would compromise those activities.

This group of amendments replaces “reasonable for the purpose” with “reasonable grounds to believe”. The two thresholds are different as I've mentioned in the last response. The “reasonable for the purpose” is an objective standard. Looking at a situation, a court or the Privacy Commissioner would look at the conduct of the organization in the circumstances and look at whether their actions in disclosing the information are reasonable. Did they exercise good judgement? Were they fair? They would look at factors like the sensitivity of the information being disclosed and the seriousness of the conduct that was being investigated, in the case of investigations, or the seriousness of the fraud that was being looked for.

By changing to “reasonable grounds to believe”, it increases the threshold to the point where the organization would have to have compelling and credible evidence that something had occurred that warranted an investigation, or have compelling and credible evidence that fraud had occurred. It's a higher threshold. The reason why Bill S-4 proposes a lower threshold is that the purpose of these investigations in many circumstances, and the fraud protection prevention and suppression activity, is precisely to obtain clear and compelling evidence to meet that threshold of “reasonable grounds to believe”. The organization then can move from “I have a suspicion” or “I have an allegation of wrongdoing” to conduct some sort of internal investigation, determine that there is clear and compelling evidence that wrongdoing had occurred, and then move it to the next level. In the case of a criminal matter, that's referring it to law enforcement or in the case of an agreement among professional associations, such as lawyers or doctors, moving it into disciplinary action against the member of the organization.

April 21st, 2015 / 11:15 a.m.
See context

Director, Privacy and Data Protection Policy Directorate, Department of Industry

John Clare

Thank you, Mr. Chair.

This issue was raised during the first statutory review of PIPEDA that was carried out in 2006-07. The recommendation of the committee at the time was that the government consult with stakeholders and the Privacy Commissioner to examine the issue of the use of personal information when it's contained in a witness statement for the purpose of processing an insurance claim.

There was a concern raised at the time and discussed during the consultations. If I witness an accident, say that I saw an individual recklessly driving through an intersection, and provide that witness statement to the police, there was concern in the insurance industry that the individual who drove recklessly through the intersection could refuse and not provide consent for the use of his or her personal information—the fact that they were at that place at that time—for the purpose of processing the insurance claim.

Based on the consultation, there was a pretty wide agreement among the stakeholders, including privacy advocates at the time, that you didn't want to create a situation whereby individuals can protect themselves from responsibility in an accident, essentially, by invoking their personal privacy and saying that the witness statement can't be used because it contains their personal information. The purpose of the amendment in Bill S-4 is to provide a very limited exception so that insurance companies can get access to witness statements that contain personal information, only for the purpose of processing the insurance claim.

April 21st, 2015 / 11:10 a.m.
See context

Green

Bruce Hyer Green Thunder Bay—Superior North, ON

Thank you, Mr. Chair.

As you know, these three paragraphs in amendment deal with sharing information related to insurance claims. Our amendment is based on recommendations from the Privacy Commissioner.

Bill S-4 contains three separate provisions allowing an organization to collect, use, or disclose witness statements without consent at the request of the insurance industry. We have not been presented with any information or evidence demonstrating that the absence of these provisions has created any problem for the industry. We introduce these amendments in the hope of limiting the potential for fishing expeditions, to put it bluntly.

April 21st, 2015 / 11:05 a.m.
See context

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you, Mr. Chair.

Following the testimony we have heard, and several revelations in the media, parliamentarians and society realized that, unfortunately, there are far too many cases where the exceptions in the PIPEDA are used in far too broad and vague a way. There is no transparency regarding the exceptions that permit the sharing of personal information without consent and without a warrant.

I think that today we have to broaden our study and not only examine Bill S-4 and PIPEDA. That is what we must do when we study a bill at second reading.

That said, I move that section 7 of PIPEDA be repealed, so as to correct the flaws in this law that allow for the sharing of personal information without consent and without warrants.

April 21st, 2015 / 11:05 a.m.
See context

Conservative

The Chair Conservative David Sweet

Good morning, colleagues.

Good morning, everyone.

Welcome to the 40th meeting of the Standing Committee on Industry, Science and Technology. Today we're considering Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act.

We are pleased to have three experts here, officials from the Department of Industry. Lawrence Hanson is the assistant deputy minister for science and innovation. Christopher Padfield is the director general of the digital policy branch, and John Clare is the director of the privacy and data protection policy directorate.

Thank you very much for joining us, gentlemen, and for being here for questions.

Colleagues, we have, as you can see piled in front of you, quite a number of proposed amendments to the bill. I was saying to my fine officials beside me that a chair never does this enough to get really slick at it, so we'll proceed, with your patience, through the bill. The officials have kindly batched the amendments together.

Unless I have some specific instruction from you, colleagues, on how to proceed, I'll just begin with the first clauses that have no amendments, then we'll move to the clauses that have amendments, and proceed in that way.

Is that fine for everyone?

March 26th, 2015 / 12:40 p.m.
See context

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

Thank you, Mr. Chair.

I'm in the same position I was last week, when many of the questions I would have had were already answered.

I was struck by listening to the testimony today. You go through so many of the different areas that we've talked about, and we've heard witnesses say one thing to one extent and then different witnesses at a different time have said something completely on the other side of an issue and suggested that we move in a different direction.

I remember one witness in a previous meeting talking about the importance of getting this right, and I noticed that phrasing was in the Credit Union's opening statement saying that in this case they thought Bill S-4 does get it right, or gets a lot of things right.

On consent, for example, we've heard arguments that we should go in one direction or another. We've heard that with breaches: people saying it goes too far; people saying it doesn't go far enough. On information sharing now we're hearing the same thing.

Ms. Gratton, in your comments it was interesting, because I think your opening statement captured that balance, and the question of balance that we're trying to strike. It sounds like you think the legislation needs to go forward—you said that in questioning—but at the same time you have some questions. They're not necessarily declarative statements that this is what's going to happen down the road, but you asked whether we can find ways to avoid “over-disclosing”.

As this legislation hopefully passes and moves forward, what you are going to be watching for over the next few years in terms of the execution of this? We've heard, for example, on that issue, that in Alberta and B.C. there haven't been issues with that. Someone said that it's different circumstances with the federal legislation.

March 26th, 2015 / 12:25 p.m.
See context

Conservative

Mark Warawa Conservative Langley, BC

Thank you, Chair.

Thank you to the witnesses.

I'd first like to provide a brief history of how we are where we are, and then ask for general comment from each of you on whether you support Bill S-4 going ahead or not going ahead. Then I will have some specific questions.

PIPEDA was passed in 2000. It came into force in 2001 to 2004, I believe. We can make changes to legislation in Parliament by legislation or by regulation. If it is by regulation, you regulate changes to existing legislation. It is also very common, and often required, that legislation be reviewed every five years. PIPEDA was reviewed in 2006-07, and some of you were involved in making recommendations as witnesses or by presenting submissions. The responsibility of the government is to listen to those and try to create a balance. Any legislative change is not going to get support from everyone for everything, because there are opposing ideas. But in general, I think, our government has reached that balance, and most of the witnesses from whom we have heard want Bill S-4 to go ahead.

We are about eight weeks away from this Parliament ending, and you may be the last group of witnesses that we hear from before we start dealing with the bill and working as a committee to see if we have any amendments. If there are amendments to this bill, given that there are only eight weeks left, it would be just about impossible, in my opinion, for Bill S-4 to move ahead, because it would then have to go back to the Senate.

I think I have heard general support for the bill going ahead.

Mr. Bundus, I think you said you don't want to stop it with these amendments; you want it to move forward.

I think, sir, you noted that changes could be made by regulation, which they can, if there are additional changes that need to be made.

Perhaps you could make a quick comment: do you support Bill S-4 moving ahead as it is now, or do you not support it moving ahead?

Maybe I could start with the Credit Union Central of Canada.

March 26th, 2015 / noon
See context

Senior Vice President, Legal and General Counsel, Insurance Bureau of Canada

Randy Bundus

I'd like to highlight four of them. It's not that we would say, “Stop the bill and make these happen”, but in our mind, they would make for a better bill.

For example, in paragraph 7(1)(b), which is collect without consent in certain circumstances, we would also like to have a reference to collecting for the purpose of detecting, preventing, and suppressing fraud. We have the right to disclose for that purpose. Just to balance it out, having the right to collect would sort of be the other bookend to that.

We would also propose a small change to proposed paragraph 7(3)(d.2), and that's in the written submission we gave. It's to make sure we really have the ability to conduct those fraud analytics in a way that was recommended by the Ontario fraud task force.

A third change is with respect to proposed paragraph 7(3)(c.1). This is the provision that says you don't have to give access when someone makes an access request in certain circumstances. There's a reference in proposed paragraph 7(3)(c.1) to no access. We want to make sure there should be no access if the information is collected as part of the work product. We've added that work product aspect to the bill if we're able to collect information as part of a work product.

For example, insurers have claims files, adjusters have claims files, and we collect personal information in those claims files. In those claims files is also the reserve amount that has been set for that particular claim. It would be quite inappropriate in our mind to have to release the amount of that reserve amount for a particular claim via a PIPEDA request at the request of the person who is at the other side of the transaction. We would like to have that fixed if we could.

The fourth item is with respect to paragraph 9(3)(a). An amendment has been made already under Bill S-4. We suggest in addition to having solicitor-client privilege, that litigation privilege also be a basis for that.

I would not stop the bill from being passed, but just have those changes. It would be a better world.

March 26th, 2015 / 11:55 a.m.
See context

Liberal

Judy Sgro Liberal York West, ON

Thank you very much, Mr. Chair.

To all of our witnesses, thank you for taking the time to come out and to help us deal with an important piece of legislation.

I think we could talk to the Insurance Bureau an awful lot more. What other changes would you like to see in Bill S-4 that would ultimately help you in your quest to have the tools you need to deal with the kind of insurance fraud that's going on—related to Bill S-4? You mention in your brief about having other issues other than the ones that you mentioned today.

March 26th, 2015 / 11:50 a.m.
See context

Conservative

John Carmichael Conservative Don Valley West, ON

I am anxious to know how you track these fraudsters who come into the system. In your opening remarks, you talked about organized crime, different body shop organizations, and other types of groups that come into this. There has to be a way of tracking this.

Does Bill S-4 give you the tools to do what you need to do in order to start to address some of these issues?

March 26th, 2015 / 11:50 a.m.
See context

Conservative

John Carmichael Conservative Don Valley West, ON

Thank you, Mr. Chair.

Welcome to our witnesses. Thank you for appearing today.

I'd like to begin with Mr. Pigeon and Mr. Martin on the credit union side.

You spoke about elder abuse and fraud. You suggested, in your opening comments, that we're doing some things right with Bill S-4. I wonder if you could expand on it. You say in here that the measure could be refined, however, by making it possible to disclose suspected abuse to a member of the individual's family, and that research has shown that often, in the case of elder abuse, the next of kin is the abuser. You also talk about CUSOURCE as a training program, or you've taken some of your solutions and are applying them to day-to-day operations.

I wonder if you could talk about Bill S-4 and how this is making it more feasible to track elder abuse. What are you doing through CUSOURCE to make it work?

March 26th, 2015 / 11:45 a.m.
See context

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you very much.

Ms. Gratton, do you think that the compliance agreements as proposed in Bill S-4 are sufficient to really encourage businesses to respect people's personal information?

March 26th, 2015 / 11:45 a.m.
See context

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you.

Mr. Bundus or Mr. Dubin, I would put the same question to you.

In your testimony at the Senate on Bill S-4, you said that you preferred the breach notification mechanism model that is used in Alberta. Do you still feel that way? If so, can you explain why?

March 26th, 2015 / 11:45 a.m.
See context

Partner, Borden Ladner Gervais LLP

Dr. Éloïse Gratton

Yes, those suit me. I know that certain reservations were expressed with regard to the record. All of the records need to be kept. I'm also aware of the position of the Canadian Bar Association, which also has certain reservations as to the records that would have to be kept.

Bill S-4 suggests that the commissioner and individuals be notified in this type of situation where there is a high risk of prejudice. I like that. In practice, when I divulge breaches, I advise individuals, but I also often advise the commissioners. These things are often done together. It does not bother me that the same criteria do not apply to disclosure.