Evidence of meeting #41 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was online.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Jennifer Stoddart  Privacy Commissioner, Office of the Privacy Commissioner of Canada
Barbara Bucknell  Strategic Policy Analyst, Legal Services, Policy and Research Branch, Office of the Privacy Commissioner of Canada
Janet Goulding  Director General, Governance, Policy Coordination and Planning, Department of Industry
Jill Paterson  Policy Analyst, Security and Privacy Policy, Digital Policy, Department of Industry
Maxime-Olivier Thibodeau  Committee Researcher

12:10 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

And monetary sanctions are the norm in the other international countries, are they?

May 29th, 2012 / 12:10 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

12:10 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

Are there any other areas, when we're talking internationally, that we cover and they don't, or that they cover and we don't? Are there other important areas that we should be looking at as well as the enforcement?

12:15 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Yes. There's a whole other series of issues that you could look at in a PIPEDA review. I believe we will be releasing a paper on that very soon. Some of them are more details in working with the law over the years. Some are more major things like enforcement powers, the role of the individual in trying to enforce his or her own rights, which I think would be a good subject for study for this committee.

12:15 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

In your opening remarks, you talked about the provinces. You said that your counterparts in Alberta and British Columbia had recently issued accountability guidance to the companies, but there are more than two provinces that have legislation, are there not?

12:15 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Yes. In terms of regulating the commercial private sector, there's also the province of Quebec, which adopted a law in 1995. I believe Quebec did not choose, on the advice of its justice department, to join us in that document, although I believe they're planning to join us in issuing other guidance of another kind.

12:15 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

Are there only the three provinces?

12:15 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

That's right. There are only the three provinces. Elsewhere in Canada, PIPEDA applies to commercial use of personal information.

12:15 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

Other than that change do they fall in line with each other pretty well? Are they comparable in the three provinces?

12:15 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Yes. Over the time I've been Privacy Commissioner, we have made it a priority to coordinate our efforts on messaging. We're producing joint materials more and more. We've done joint investigations. We think it's very important in a federated country like Canada that industry has a similar standard to observe throughout the country.

I think we've been fairly successful at ensuring that.

12:15 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

Do you think there have been any changes by the companies in the way they handle the personal information in these online sites? We hear more about it all the time with more concerns being raised. Is it just that people are becoming more aware of what can happen, or is there a difference in how they're handled?

12:15 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

I believe there's a more creative use on that, but once again could I ask Ms. Bucknell to complete my answer?

12:15 p.m.

Strategic Policy Analyst, Legal Services, Policy and Research Branch, Office of the Privacy Commissioner of Canada

Barbara Bucknell

I think people have become more aware, partly due to breaches and things like that, partly also due to some of these very large companies trying things with their membership, with the users who belong to their sites, and then getting user backlash in many cases.

We've seen that hit the news in a big way, particularly about two years ago. I think in that sense, yes, we hear a lot more about it, but they are always finding new, innovative ways to use personal information.

12:15 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

Are there specific challenges—

The Chair NDP Pierre-Luc Dusseault

Your time is up, Ms. Davidson.

Fortunately, we will be able to hear from more witnesses a little later.

Madam Commissioner, we are out of time to ask you questions. But we will continue this study for some time, and we will be able to ask you back to take stock of what was said by other witnesses, depending on the committee's wishes.

We need to suspend for a few minutes to make way for the next witnesses. There will then be 10 minutes for presentations and a few minutes for questions. We will have time to discuss committee business a little later.

Thank you.

The Chair NDP Pierre-Luc Dusseault

We are resuming the meeting as quickly as possible, given that we are a little short on time today.

I would like to thank the next witnesses from the Department of Industry for being here today. They have 10 minutes for their presentation. We will then have a period of questions. Without further ado, I will turn it over to the witnesses.

Ms. Goulding, go ahead.

Janet Goulding Director General, Governance, Policy Coordination and Planning, Department of Industry

Thank you, Chair.

I'd like to introduce my colleagues who are with me today: Bruce Wallace, director of security and privacy policy, and Jill Paterson, a policy analyst with our digital policy branch.

Your committee has chosen to study a very important and timely issue. The protection of personal information online is a prerequisite for a strong global digital economy. I am here today to provide some background on the federal legislation that protects the privacy of Canadians in commercial transactions, online and elsewhere, the Personal Information Protection and Electronic Documents Act or PIPEDA.

Since it was implemented, PIPEDA has provided a solid foundation for the protection of privacy online. Canada's federal private sector privacy law is regarded around the world as a model for other countries to follow when seeking ways to protect the privacy of individuals. Much of its strength comes from the manner in which PIPEDA addresses privacy in a technologically neutral way, using a flexible, principle-based approach.

PIPEDA deals with two distinct issues. Part 1 sets out the privacy protection obligations under the act. Parts 2 to 5 deal more with electronic documents than with privacy, and as such are not relevant to your current study.

Part 1 of PIPEDA sets the rules for the private sector in protecting personal information used in the course of business. It establishes clear ground rules that govern the collection, use and disclosure of personal information.

The act balances two central considerations: the need to protect the privacy of individuals, and the need of organizations to collect, use, or disclose personal information in the course of commercial activities. Striking this balance is particularly relevant in the online environment, where large amounts of information can be rapidly collected and stored, and financial transactions can be completed in just a few seconds.

There are some key features of the act I'd like to touch on today.

First, the act applies only to personal information that's used for commercial purposes. It applies to personal information in all formats—electronic and non-electronic. The act applies across the economy as a whole, not just to individual sectors.

Second, the law is based on a set of principles taken from the Canadian Standards Association's Model Code for the Protection of Personal Information. The code was developed by the private sector and consumer representatives and was adopted well before the act came into force. The code is a set of 10 core privacy principles, which were incorporated into schedule 1 of the act.

I'd like to draw your attention to the most central principle, which is the need for consent. Privacy legislation in Canada, and in many other countries, is founded on the principle of consent, whether that be expressed or implied, to collect, use, and disclose personal information.

The act also requires that any collection, use, or disclosure of personal information by an organization should be considered by a reasonable person to be appropriate in the circumstances. This is an overarching test that applies to all provisions of the act. This requirement brings a significant degree of flexibility to the legislation, allowing PIPEDA to remain applicable while social norms, behaviours, and expectations change over time and in different situations, both online and offline.

PIPEDA first came into force in 2001, before the onset of online services and activities—such as Twitter, YouTube, Google, and Facebook—which today we take for granted. Yet as the Internet has evolved, and as new services have been introduced, the legislation has proven to be an effective tool. Its flexibility, resulting from its technology-neutral and principles-based approach, has enabled Canada's Privacy Commissioner to address the challenges that have arisen online, including in social media environments. She has enforced privacy provisions on an international scale against some of the world's largest online service providers, including Google and Facebook.

For example, following an investigation by the commissioner, Facebook took corrective action to bring practices in line with obligations under PIPEDA. Facebook agreed to provide information to help users better understand how their personal information will be used so that they can make more informed decisions about how widely to share that information.

Overall, the legislation continues to provide a robust framework on which to find a balance between business practices and protecting the privacy of Canadians. However, technological innovation, combined with continual changes to individuals' online practices, highlight the importance of reviewing PIPEDA to ensure that it can appropriately address emerging challenges.

In particular, the development of applications for individuals to share information about themselves—a key aspect of what is known as "Web 2.0"—is changing online behaviour. Much personal information is volunteered by individuals themselves. And despite being active participants in the flow of personal information, many users may not fully understand the way their information is used, or the associated privacy risks.

Research indicates that social media users may not anticipate how broadly accessible information they post will be. In addition, the use of "cookies" and other online tracking tools is pervasive, and yet largely invisible to the average Internet user. The potential exists for personal information to be aggregated and used in ways which the individual may never have even imagined and with which they may disagree.

There are complex issues involved in the development of policy frameworks to maintain privacy protection in this environment. Canada is one of many jurisdictions currently grappling with this. The OECD, for example, is currently conducting a review of its privacy guidelines, which were the first internationally agreed-upon set of principles and which influenced the development of the CSA model code, upon which PIPEDA is based.

Likewise, a good piece of legislation like PIPEDA can be made even better with regular review to ensure that it keeps pace with advancing technology and evolving business models.

Bill C-12, the Safeguarding Canadians Personal Information Act, will update PIPEDA in a number of important ways. The bill, which is awaiting second reading in the House of Commons, is the result of the first review of the act, which was undertaken by your predecessors on this committee in 2006-2007. At that time the committee concluded that no major changes to the act were needed; however, they did make a number of recommendations aimed at improving some elements, notably the need for mandatory data breach reporting requirements.

Following the committee's report, Industry Canada conducted extensive consultations, leading to the government response, which indicated that several amendments to PIPEDA would be made to address the committee's recommendations. These amendments were first tabled in May 2010, but subsequently died on the order paper. The amendments were later reintroduced as Bill C-12, which was tabled in September of 2011.

Significantly, Bill C-12 will create a powerful tool to protect and empower consumers online. The bill establishes a framework under which businesses must notify customers when their personal information has been lost or stolen. Canada's Privacy Commissioner has long called for a legislative approach to data breach notification. In 2007, her office published voluntary breach notification guidelines, but she has expressed concern that not all businesses are reporting data breaches, nor have all organizations taken appropriate security precautions to protect their holdings of personal information.

Bill C-12 requires organizations to notify individuals in cases where a breach poses a real risk of significant harm, such as identity theft or fraud or damage to reputation. The Privacy Commissioner will also be informed of any material breach, thus allowing her to exercise oversight of compliance with the new requirements. Consistent with her current compliance powers, the Commissioner will be able to publicly name organizations that fail to meet their obligations if she feels this is in the public interest. This is a powerful inducement for organizations to act in good faith. In fact, we have seen this power compel change in the practices of well-known social media companies such as Facebook and Google. Several high-profile data breaches in the past several years, such as those experienced by Sony and the large e-mail marketing firm Epsilon, have underscored the need to pass this bill and its new notification requirements quickly.

The bill also includes enhancements to the consent provisions designed to protect the privacy of minors online. Research shows that children may not have the capacity to understand the consequences of sharing personal information. Not all marketing activity directed at children is inappropriate; however, some online services surreptitiously collect personal information about children in an environment that is often designed to look like playgrounds or educational websites. Therefore, Bill C-12 requires organizations to make a reasonable effort when collecting the personal information of minors to clearly communicate why it is being collected in a way that would be understood by the target audience.

We believe these changes are an important step towards ensuring that our privacy legislation continues to protect Canadians.

Thank you for the opportunity to come before the committee today. My colleagues and I would be happy to take your questions.

The Chair NDP Pierre-Luc Dusseault

Ms. Goulding, thank you very much for your presentation and for being here.

Ms. Borg now has five minutes for questions.

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you, Mr. Chair.

I would also like to thank the witnesses for being here today.

Companies like Facebook and most social networks are not located in Canada, but we know that they have a lot of Canadian users. What is our legislative power over foreign companies that are active within Canada? What influence does our country have internationally?

12:30 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

The legislation applies to information collection in the course of commercial activities here in Canada. But clearly, the activity and the companies collecting that information can be international, so the importance of international cooperation on behalf of the Privacy Commissioner is a key element.

Recently the legislation was updated to allow the Privacy Commissioner to share information more broadly with her international counterparts.

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you.

We all know that the Internet develops and changes very quickly. New websites are always being launched. It is growing so quickly that we are always trying to catch up. For me, it was important to have proactive measures to avoid a fear of using the Internet. I think this is all part of a digital strategy that your department announced. We haven't really seen anything new in this respect. So I would like to know if you have anything new to share with us.

12:30 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

In terms of digital policy, certainly the government has been very active. The passage of the recent anti-spam legislation is a key element, along with the amendments to PIPEDA that are currently before the House, in addition to the copyright legislation.

The minister has recently indicated that he will be releasing a strategy later this year. Many elements of the digital economy continue to evolve in Canada, and the government and the private sector continue to respond to those challenges.

Charmaine Borg NDP Terrebonne—Blainville, QC

Unfortunately, I think we are really lagging behind when it comes to everything Internet-related. I think that a lot of work needs to be done and that it is better to be proactive than wait until there's a disaster.

On that same topic, the commissioner, Ms. Stoddart, said in her testimony, and as you explained in your presentation, that Canada is lagging behind with respect to standards for data breach. Perhaps Bill C-12 doesn't contain enough measures.

Can you please explain why we lag so far behind when it comes to informing users about breaches of their personal information?

12:35 p.m.

Director General, Governance, Policy Coordination and Planning, Department of Industry

Janet Goulding

I think the commissioner was pointing to the fact that Canada is one of the few remaining countries that do not have mandatory data breach reporting requirements. Therefore, as I indicated, it is important for Canada to catch up and pass the amendments in Bill C-12 that are currently before the House.

In terms of going forward, the commissioner made reference to the overall compliance powers under the act and suggested that the second parliamentary review would be a good opportunity to take a second look at that. Perhaps that's something parliamentarians would like to do.

Charmaine Borg NDP Terrebonne—Blainville, QC

Do I have any time left, Mr. Chair?