Bill S-4 (Historical)

I'm glad as well, Mr. Chair. Thank you.

My name is Randy Bundus, and I am senior vice-president, legal and general counsel, with lnsurance Bureau of Canada. I am joined by my colleagues Maddy Murariu, with IBC government relations, and Rick Dubin, with IBC's investigative services. We are pleased to be here today.

IBC is the national industry association representing over 90% of private home, car, and business insurers in Canada. My remarks will focus on how Bill S-4 will affect my industry's ability to continue to combat insurance crime, which includes fraud and auto theft.

Insurance crime is big business in Canada. A recent Ontario government task force estimated that in that province auto insurance fraud alone costs up to $1.6 billion yearly. Insurance crime costs everyone in higher premiums and increased costs to our legal and medical systems.

Our industry works hard to suppress and prevent insurance crime through early detection, and also works hard to protect our customers' privacy. Insurers know that they must safeguard customers' personal information or risk losing business.

There are different types of insurance crime. It can be opportunistic. For example, a driver hits a guardrail and then invites a friend, a “jump-in”, to falsely state that he was also in the vehicle and suffered an injury for which he then claims compensation. Opportunistic claims are handled by insurers, but PIPEDA does not allow one insurer to verify facts by reaching out directly to another insurer that might also have been victimized by the suspected fraudulent incident.

Insurance crime can also be premeditated and organized. Large crime rings stage collisions that involve fraudulent injury claimants and others such as auto body shops and medical rehabilitation clinics. A crime ring can generate several million dollars in fraudulent claims.

IBC's investigative services, or ISD, was the first designated investigative body under PIPEDA, and it plays a critical role in the investigation of organized insurance crime. ISD is uniquely positioned to investigate organized insurance crime that involves multiple insurers, multiple claims, and multiple claimants. An example of this is the case of a police officer in Peel Region who was convicted in February on 42 counts, including 21 counts of fraud. This officer falsely reported nine collisions and, as a result, 14 insurers paid out almost $1 million in false claims to 69 participants.

ISD begins an investigation as a result of being made aware of an anomaly in an insurance claim. Information triggering an investigation may come from an insurer, a victim, law enforcement, or a tip from an informant. ISD then acts as a case file manager, coordinating investigations and identifying linkages between parties that are then submitted to regulators and other enforcement agencies. Individual insurance companies are not well positioned to handle organized crime on this scale.

This brings me to Bill S-4. We support the proposal in Bill S-4 to repeal the sections in PIPEDA that create investigative bodies and instead allow for an organization to disclose information to another organization in limited circumstances. These circumstances, as set out in Bill S-4, are to investigate a breach of an agreement or contravention of a law of Canada, and to detect, prevent, or suppress fraud.

My industry's experience under PIPEDA in investigating and detecting insurance crime has been of mixed success. While IBC's investigative services have been successful in combatting large, organized insurance crime, that has not always been the case for insurers in handling the opportunistic fraud. This is because many of the insurers are not able to disclose to each other information about suspected insurance crimes.

The proposed changes in Bill S-4 would help investigations into opportunistic or one-off insurance crimes involving only two claimants with two insurers, such as the jump-in example I gave earlier. Bill S-4 would allow insurers to disclose, in those very limited circumstances, when it is reasonable to do so, information to another insurer without the involvement of an investigative body.

An insurer could also disclose that information, in the same very restricted circumstances, to an organization such as ISD in the investigation of insurance fraud. In our view, this new process would be efficient and effective in detecting, preventing, and suppressing fraud, while still being respectful of privacy rights. Under Bill S-4, ISD could continue to function as a case file manager for organized insurance crime.

In our written comments to this committee, we address a number of other important issues in Bill S-4, including some minor wording changes to ensure consistency among the provisions allowing for responsible fraud investigations. We would be pleased to discuss these matters with this committee or with Industry Canada officials.

Thank you for your attention. I'd be happy to take any questions.

Thank you, Mr. Chair.

I also thank the committee for the opportunity to share with you our thoughts on Bill S-4.

Before addressing our views on this bill, I would like to begin by making a few preliminary remarks regarding the role of my organization, Credit Union Central of Canada, and more generally, the credit union system in Canada.

Canadian Central is the national trade association for its owners, the provincial credit union centrals. Through them, we provide services to about 315 affiliated credit unions across the country.

As you may know, credit unions represent an important part of the Canadian economy. We have about 1,700 credit union branches that serve 5.3 million Canadians. We have $170 billion in assets and 27,000 employees.

Credit unions in Canada come in all shapes and sizes. It's important to understand that some of our smallest credit unions have less than $10 million in assets, one full-time employee, and one part-time employee. Our biggest credit unions have $20 billion in assets and literally thousands of employees. So there's a lot of disparity or gap there. Regardless of size, however, as member-owned and controlled institutions we believe we have an inherent responsibility to be open and accessible while, at the same time, demonstrating the greatest respect for the protection of our members' privacy.

The Credit Union Code for the Protection of Personal lnformation, adopted by credit unions in advance of the 2004 compliance deadline, really speaks to the system's long-standing commitment to member privacy. In fact, well before it was required or fashionable, this code reflected the credit union system's commitment to protect member privacy by proactively implementing consent requirements for the use of personal information. This commitment to member privacy is enhanced through employee training programs, strong internal policies and procedures, and member awareness programs.

In general, we think Bill S-4 does a lot of things right. We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse. However, we think this measure could be refined somewhat by making it possible to disclose suspected abuse to a member of the individual's family. Research has shown that often, in the case of elder abuse especially, the next of kin are the abuser. We think a little stretch would help with that situation.

We are especially encouraged by attention to this important public policy issue because the credit union system has taken a bit of a lead on this issue of elder abuse. We've designed a course for front-line credit union employees on financial elder abuse detection and prevention and recently made an announcement to that effect with Minister Wong in Winnipeg. We also like Bill S-4 because it does a lot to reduce some of the regulatory burden that results from the current framework.

To give you an example, we are supportive of the proposal that would make it less difficult for institutions to share information when they're in merger discussions. As you may know, the credit union system is rapidly consolidating, so this is a welcome development. Similarly, we support the proposed amendments that permit the sharing of information between organizations for the purposes of fraud prevention. This too will reduce the administrative burden associated with some of the activities of Canadian Central, my organization's Credit Union Office for Crime Prevention and Investigation.

We note, however, that as drafted, the information sharing between financial institutions appears to be limited to the detection and suppression of fraud. We would recommend that financial institutions be allowed to share information related to criminal activity to cover the broader range of activities that we want to capture: bank robberies, ATM breaches, and that kind of thing. We also have some concerns about provisions that may increase regulatory burden.

Specifically, the legislation proposes requirements that would compel financial institutions to keep records of all data breaches. As you know, the reporting requirements say that breaches must be divulged when they pose a real risk of significant harm to individuals. We're not clear why it is necessary to impose record-keeping requirements that are not aligned with this reporting test. The usefulness in recording incidents that do not meet the significant harm reporting threshold is not readily apparent to us. We would recommend aligning the record-keeping requirement with the proposed reporting requirements. We also question the proposed potential penalty of $100,000 for non-compliance with this new record-keeping requirement. While this may not be a material amount to some of our larger competitors, you can imagine the impact of a fine like this on a small credit union with $10 million in assets and whose profits are well under $1 million. This could really harm the credit union. We'd recommend that the fines be geared to the size of the institution.

To help put these concerns in context, just to give you a sense of why these large and small institution issues matter to us, we did a study back in 2013 on regulatory burden. We found that small credit unions, those with fewer than 23 employees, devote fully one-fifth of their staff time to regulatory administration. It's a huge burden for our smaller institutions. Our bigger institutions devote only 4%, and keep in mind that our biggest institutions are many times smaller than the biggest banks out there.

The unintended consequence of a lot of the regulations that get imposed on the credit union system is that they inadvertently create a competitive advantage for larger institutions, and that's a concern for us. In fact, we raised that concern with the finance committee here at the House of Commons, and they agreed. They said that “the government should examine means by which credit unions and caisse populaires could be on a level playing field with Canada’s large financial institutions”. We think there are a couple of areas in this proposed legislation that could be tweaked to address that concern.

To conclude, we want to thank the committee for this opportunity to share our thoughts on Bill S-4. We applaud the government for some important and positive changes, especially around information sharing to prevent financial abuse of seniors and to reduce administrative burden.

That said, we would recommend adjusting the bill to allow financial institutions to share information related to criminal activity in order to cover crimes such as bank robberies, ATM compromises, and so on. We are also recommending that the bill be modified to make it possible to disclose suspected abuse to a member of the individual's family, not just next of kin. Finally, we would just ask that the government continue to be sensitive to the needs of smaller financial institutions by, for example, aligning record-keeping with record-reporting requirements and making fines for non-compliance proportional to the size of the institution.

We want to thank the committee again for our opportunity to share these perspectives, and we look forward to your questions. Thank you.

We will both be making a presentation, Mr. Chair.

My name is Frank Zinatelli. I'm vice-president and general counsel with the Canadian Life and Health Insurance Association. I'm accompanied today by my colleague Anny Duval, who is counsel with the CLHIA.

The CLHIA represents life and health insurance companies, accounting for 99% of the life and health insurance in force across Canada. The Canadian life and health insurance industry provides products that include individual life and group life, disability insurance, supplementary health insurance, individual and group annuities, including RRSPs, RRIFs, TFSAs, and pensions.

The industry protects almost 28 million Canadians and about 45 million people internationally. The industry makes benefit payments to Canadians of $76 billion a year, has $647 billion invested in Canada's economy, and provides employment to over 150,000 Canadians.

We welcome this opportunity to appear before the committee as it reviews Bill S-4, which makes important amendments to the Personal Information Protection and Electronic Documents Act.

For over 100 years, Canada's life and health insurers have been handling the personal information of Canadians. Protecting personal information has been long recognized by the industry as an absolutely necessary condition for maintaining access to such information. Accordingly over the years, life and health insurers have taken a leadership role in developing standards and practices for the proper stewardship of personal information.

For example, in 1980 we developed right to privacy guidelines that represented the first privacy code to be adopted by any industry group in Canada. Since then, the life and health insurance industry has participated actively in the development of personal information protection rules across Canada, starting with Quebec's private sector privacy legislation in 1994, the development of PIPEDA, Alberta's and B.C.'s personal information protections acts in the early 2000s, and health information legislation in various provinces.

The industry's overarching theme is to achieve harmonization in the treatment of personal information across Canada as much as possible. The operations of life and health insurers are national in scope, and many common day-to-day transactions may involve interprovincial collection use and disclosure of personal information. Thus, the coordination or harmonization of the provisions of PIPEDA with privacy legislation at the provincial level is very important to avoid unproductive duplication and confusion for consumers, organizations, and regulators alike.

With harmonization in mind, let me turn now to Bill S-4, the digital privacy act. The industry is generally supportive of the bill, as it contains some needed updates that move PIPEDA to be more consistent with other private sector privacy legislation in the country.

For example, B.C. and Alberta deal with the use of information without consent of the individual more effectively than is now the case in PIPEDA. In this regard, the industry strongly supports those amendments to section 7 of PIPEDA, particularly proposed paragraph 7(3)(d.2), which would help industry efforts to detect, deter, and minimize fraud. The impact of fraudulent and deceptive conduct on insurance and other financial services can be extremely costly and damaging.

The industry efforts to control the incidence of fraud are not in conflict with our protection of personal information, but we note that there's a gap in the current legislation that restricts the ability of organizations to disclose information without consent of the individual for the purpose of conducting an investigation into a breach of an agreement or of a law of Canada.

While it is industry practice to obtain consent, there exist clear instances where this cannot be done—for example, where the suspected perpetrator is a third party that is not directly involved with the insurance contract, such as a service provider to a member of a group benefit plan.

In some instances, obtaining consent makes no sense. For example, this latter situation is contemplated in a note to principle 3 of the CSA model code for the protection of personal information, which forms part of PIPEDA:

When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information.

For these reasons, we support Bill S-4's amendments to section 7 of PIPEDA, which more clearly set out when personal information can be collected, used, and disclosed during an investigation.

This will allow all parties to more clearly understand the range of acceptable circumstances when there is an exception to consent and will have the additional advantage of being harmonized with the approach used in both the Alberta and B.C. PIPA.

Thank you very much for providing me with the opportunity to speak to you today.

My name is Éloïse Gratton. I am a partner at Borden Ladner Gervais. I also teach a privacy law course at the University of Montreal law faculty.

I've been practising in the field of privacy law for over 15 years and I represent a range of clients, mostly private sector businesses from various industries. I appear today in a personal capacity, representing only my own views and not the views of my firm or its clients.

My time is limited, so I'm going to first mention two provisions in Bill S-4 that have my support, and then two that raise concerns.

I offer my support to two important provisions in the bill: mandatory breach notification and business transaction exception.

I have concerns with two provisions in Bill S-4, the first one being the clarification on valid consent. I know that many have appeared before me to discuss Bill S-4 and they have expressed their approval of the proposed amendment to clarify the requirements for valid consent.

Yes, in theory, not many people would logically object to having more stringent provisions governing valid consent; still, I have a few concerns with this proposal.

PIPEDA currently requires that consent be reasonably understandable by the individual. The questions that should be asked are: do we have a concern with this consent requirement, and if so, will the proposed amendment address such concerns?

If the proposed amendment is accepted, the message sent to organizations is that the way they used to get consent may no longer be valid and that perhaps they should be taking additional steps.

PIPEDA is based on a “notice and choice” model that may prove to be a real challenge in 2015. In my recent book Understanding Personal Information, I have a chapter dealing with the challenges with this notice and choice approach. I was raising that in our day and age, it is debatable whether this model still makes sense and is a realistic one. Very busy individuals with limited time are expected to review, understand, and agree to various different—sometimes online—terms of use agreements, and keep up with new technologies and business models constantly evolving.

We have also already begun witnessing how consent forms are now requiring a few additional clicks to ensure that express consent is obtained in compliance with the new Canadian anti-spam law, since under this law certain information has to be brought to the attention of the user separate and apart from the standard terms of use agreement. I am mostly concerned that this type of amendment will be translated by organizations including additional verbiage in their already very long privacy statements and by requiring more clicks from users already overloaded with information.

I also have some reservations about the two new proposed paragraphs 7(3)(d.1) and (d.2), which would allow an organization to disclose personal information to another organization without consent in certain circumstances, although I understand in some situations the necessity for this proposal.

A few files have landed on my desk over the last few years in which this type of provision would have come in handy. One example worth noting was the case of Stevens v. SNF Maritime Metal. It's a case that ended up in the Federal Court in 2010. This was the case of SNF, a company purchasing scrap metal from another company. That company's employee, Mr. Stevens, opened a personal account with SNF and started selling a high volume of scrap metal to them. SNF disclosed the fact to his employer, who was already suspecting that someone was stealing scrap metal from them. The company realized that its employee was indeed stealing from them. They fired him and the employee then sued SNF for breach of his privacy.

Although SNF was probably right to disclose this information to its client, it was nonetheless a technical breach of PIPEDA, since they had disclosed personal information about Stevens, the fraudulent employee, to its employee and their business partner without his prior consent.

The bottom line is that I agree that we need to have a provision authorizing the disclosure of personal information without consent to address these types of situations. Still, given the way the proposed provision is drafted, I am concerned that the amendments could lead to excessive disclosures, used for broad purposes justified under the investigation of a breach of an agreement provision, or the purposes of detecting fraud provision. These disclosures would further be invisible to both the individuals concerned and to the Office of the Privacy Commissioner.

If we could find a way to minimize the risk of over-disclosing, while including a provision under which companies disclosing in such a situation would have to be transparent about these disclosures, I would offer my support to this type of amendment.

Thank you. I welcome your questions.

I think the clause is good because it provides greater clarity. If we are going to stay with the regime of consent, you want something that is clearer rather than more vaguely worded. My broader concern about where Bill S-4 is right now in 2015 is that we have seen that all of these ideas of consent are not actually effective. We need to see much stronger protections in other areas, in terms of regulating use and disclosure.

But I think the clearer language is a very welcome step, from my perspective.