Information & Ethics Committee on May 1st, 2018

Is your annual report to Parliament due this spring?

Oh, it's in September.

Will you be renewing your request for greater authority, greater ability to apply meaningful penalties?

With regard to penalties, on April 18, just a couple of weeks ago, the government published in the Canada Gazette the long-overdue regulations for mandatory breach reporting and record keeping in Canada. I would just recall for our audience that on June 18, 2015, the previous Conservative government passed the Digital Privacy Act to amend PIPEDA.

Most of that act came into force then, but it's taken three years for the new regulations on mandatory privacy breach notification. We are told it will only come into effect in November, although it's been long expected by those who are aware they will come under the provisions of this reporting. Is that a justifiable delay in your mind?

I'm looking at a document generated by Fasken, but a number of law firms have advised their clients. I'll quote the Fasken's advice, which says:

The coming into force of mandatory privacy breach notification, reporting and record-keeping in PIPEDA represents a sweeping change to the conduct of commercial activities in Canada. The rules will present new costs, risks and challenges for organizations, large and small, including in respect of legal risk management....

What's your office doing in terms of advising those who will be covered by the provisions of these new regulations?

Am I correct in believing the maximum penalty you have under these regulations is $100,000?

Now, I expressed the belief that $100,000 was a pretty trivial penalty for a significant breach violation. A member of the government on a television panel that we were participating in said that the $100,000 actually would apply to each of the individual violations. If there were 100,000 individuals affected by that breach, it would be multiplied. A possible penalty could be multiplied by $100,000. Is that correct or incorrect?

Would that be with regard to your reading of the detail of the regulations?

Thank you, Mr. Kent.

Next up for seven minutes is Mr. Angus.

Thank you, Mr. Chair.

Thank you, Mr. Therrien. We're very pleased to have you. We think we should have a special desk for you here, because you're at our committee all the time and we're using your advice consistently.

That's wonderful.

I am concerned about the transformation of the struggle over the privacy file over the last 10 years. Even as we update PIPEDA, this seems to be affecting many other elements.

I would refer you to a recent statement by the Bank of Canada, which normally doesn't weigh in on these matters. The deputy governor of the Bank of Canada, Carolyn Wilkins, said that they're very concerned about the effect on competition in the Canadian economy by the massive control of personal data by a few giant tech firms, mostly American firms. She stated:

Access to and control of user data could make some firms virtually unassailable. They can easily drive out competition by combining their scale with innovative use of data to anticipate and meet evolving customer needs at a lower price, and sometimes for free.

Would you consider it necessary that we start to advocate for more powers for your office to start to deal with the more diversified issues that are coming up with the growing data giants, whether it be issues of anti-competition or issues of privacy protection?

Thank you.

To that end, I'm concerned, and have heard from many people, about the new agreement that Rogers is putting on its consumers, saying that if you use their services, you're essentially agreeing to give them access to your personal contacts as terms and conditions of use.

In your view, would that be a breach of PIPEDA?