Evidence of meeting #33 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A video is available from Parliament.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
Thank you, Mr. Chair.
I want to say I have had the benefit, being the parliamentary secretary, of having had briefings with you. Thank you for that. I expect this hour will show us how you're able to consolidate some fairly complex information, translate it, and help us to understand it in a short period of time. That is really a testament to the expertise that you have.
As Privacy 101, maybe you could start off with a quick explanation of the difference between PIPEDA and the Privacy Act.
Deputy Minister, Department of Industry
I'll start and then ask my colleagues to help me out.
In brief, PIPEDA and the Privacy Act are quite different. PIPEDA applies to the private sector and its collection, use, and disclosure of personal information in the context of commercial activity. From a federal government perspective, that means specifically that the trade and commerce power is being applied as well. It applies to federally regulated industries, specifically, for example, to banks and telecom companies. The Privacy Act applies to federal governments and agencies and their handling of personal information.
These are quite different, and quite different in the sense of how the bills are conceived. PIPEDA is based on the concept of consent, generally requiring that an organization have the consent of the individual to collect, use, and disclose their personal information and based on the application of those principles that you'll find in the act. The Privacy Act is not based on consent, but instead is very prescriptive as to when and how federal institutions may collect information. No personal information, for example, shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.
I'll conclude by saying that in the area of digital privacy, we feel that you need these principles and a balanced approach in order to take into account the changing technology. A balanced approach gives you the flexibility to still apply the rules, even though the hardware and the software are constantly changing, for example.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
For those who may be following these hearings over the next several weeks, something that might be helpful as well is to understand how the federal and provincial jurisdictions deal with privacy differently, because it seems to me that the provinces each have their own legislation similar to PIPEDA.
Why would there be a need to have legislation at both levels?
Deputy Minister, Department of Industry
I'll let Chris elaborate, but the short answer is that we apply to federally regulated industries and they apply to provincially regulated industries.
Director General, Digital Policy Branch, Department of Industry
That's right, and not every province has privacy legislation in place. PIPEDA basically blankets the whole of the country. In those locations that have moved forward with their own privacy legislation—Quebec, B.C., and Alberta—they have what is called “substantially similar designation” under our legislation, so we recognize that in those three jurisdictions, for privacy issues contained within the province those pieces of legislation take precedence.
You can see situations in which privacy issues cross borders, and then you see both the Privacy Commissioner federally and the provincial privacy commissioner working together to address issues.
The provincial powers are different from the federal powers. With the trade and commerce powers, we're restricted federally to issues that happen within trade and commerce activities, whereas provincially they break down into deeper, more regular activities of individual Canadians, rather than just those in the context of the commercial activities.
Conservative
The Chair Conservative David Sweet
Thank you very much, Mr. Padfield.
Now we go on to Ms. Papillon.
You may go ahead for four minutes.
NDP
Annick Papillon NDP Québec, QC
By referring the bill to a committee before second reading, the government opted to take a different route.
Could you please tell me why the government referred the bill at that stage, before second reading? Could it be that the bill, in its current form, might be deemed unacceptable given its deficiencies, making it necessary to follow such a process?
Moving the bill through all these stages has prolonged the process. I'd like you to tell me why the government decided to proceed that way.
Deputy Minister, Department of Industry
Mr. Chair, these are decisions of the government and not decisions of officials, so I don't think it would be appropriate for me to comment on this.
Conservative
NDP
Annick Papillon NDP Québec, QC
Bill S-4 would require organizations in the private sector to report any loss or breach of personal information. But the criterion on which that mandatory reporting is based is subjective. In fact, the bill allows organizations to determine, themselves, if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
Why didn't the government choose a more objective criterion as the basis for that determination, such as the one proposed in Bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), which was introduced by my colleague?
Deputy Minister, Department of Industry
Again, I think the model that we have here is to ensure that the Privacy Commissioner
has adequate powers precisely to examine the problems. Given the current context, the bill enables Canadians to ask organizations exactly what happened to their information.
NDP
Annick Papillon NDP Québec, QC
But why didn't you use a more objective criterion, such as the one in Bill C-475, which was introduced in 2012?
Since the government's bill is modelled after Bill C-475, why wasn't a more objective criterion used?
Deputy Minister, Department of Industry
As I just said, I believe the bill is based on principles. It's always important to find the right balance. What the bill does is make it unnecessary to impose conditions outright.
I'll ask Chris to explain further.
Director General, Digital Policy Branch, Department of Industry
If I understand the question on the data breach provisions correctly, with regard to whether it's the private sector making the risk assessment versus the data breaches going specifically to the commissioner and having the commissioner review all the data breaches, in the approach that has been put forward in Bill S-4, the outcomes end up being the same.
When an individual company does an assessment of the risk of the data breach and whether there's going to be harm to the individual, they go through the procedure for figuring out whether they have the risk. Once they've identified that there's going to be a risk of harm, they identify both the individual and the Privacy Commissioner. At the same time, when they've done that assessment and they've reviewed the data breach, if they've found that there is no risk of harm, they're required to maintain a record on those and the commissioner can ask for those records at any time. They could ask the individual company to report all of those records to them at any time. So the commissioner has access to the same types of information and can review all those at any time.
The end result is the same. The commissioner has access to any and all data breach records at any time he wants, whether there's a real risk of significant harm or otherwise.
Conservative
The Chair Conservative David Sweet
Thank you, Mr. Padfield, that's all the time we have.
Now we have Mr. Carmichael for four minutes.
Conservative
John Carmichael Conservative Don Valley West, ON
Thank you, Mr. Chair.
Mr. Knubley, I'd like to go back to a question my colleague Ms. Gallant asked the minister about in the first round and that is with regard to red tape reduction.
In your opening remarks you talked about the concept of balance and about what's made PIPEDA successful over the years. Principles set out in the annex included important concepts such as accountability, consent, accuracy, safeguards, and openness to just name a few. In your opening statement, you talked about the five significant changes to the act and in number five, you talked about reducing the burden to business and a number of elements that are listed there.
I wonder if you could just elaborate on how this bill is going to ensure that we don't increase but rather reduce red tape, because as you know that has been a focus of our government for the last several years up to and including its own act, the red tape reduction act, which is a very important part of what we believe is important to the economy. I wonder if you could just elaborate on that for us, sir.
Deputy Minister, Department of Industry
These amendments were done very much in the context of the 2007 five-year review. I think there was an assessment at that time around the issues of the burden to businesses with respect to PIPEDA.
I think there are five very specific, and I would add limited, amendments in this area to improve and streamline the obligations of business. One is related to business contact information; we're talking here of an email address or a fax address. This would exclude all types of business contact information, provided this information is only being used to communicate with the individual with respect to their employment, business, or profession.
Of business transactions, the most concrete example is mergers and acquisitions, and if two businesses are going through both a merger and an acquisition then it's deemed appropriate to share information without consent.
Conservative
Deputy Minister, Department of Industry
Correct.
Work product is a concept that I think is in the bill. The issue is, can the businesses carry on their activity without sharing the work product? An example might be an inspector who has signed a bill of activity and he's put his name at the bottom. Can the businesses share the actual bill between the two companies?
Processing of insurance claims and employee information, I think typically relates to termination. Chris, help me out on the explanation of these very limited circumstances.
February 5th, 2015 / 12:25 p.m.
Director General, Digital Policy Branch, Department of Industry
It's very specific and very common sense. A lot of them come from that second Parliamentary review. Because in PIPEDA consent lies across everything as a principle, there are some very specific circumstances.
I think the business transaction is a great one. When companies are looking to merge, they don't want to have to go through and get consent from every customer on each side of the border, which is the way PIPEDA kind of reads now. You have to go back to each person or client and get their individual consent that you can share their information with the other company when you go through that transaction. It just doesn't make sense.
Conservative
Director General, Digital Policy Branch, Department of Industry
It simplifies that process. It covers and protects the key people involved because it makes sure that there are contractual obligations. If the transaction doesn't happen, the company that receives information has to destroy the information. It's a very clear, common-sense approach to business transactions.
Even on the data breach side, we've streamlined the approach of data breach to minimize the number of tests and how the reporting is done to make sure that it's only meaningful reporting for Canadians. It minimizes the burden on industry in that reporting system.
Conservative
Liberal
Emmanuel Dubourg Liberal Bourassa, QC
Thank you, Mr. Chair.
I'd like to pick up on the part of Bill S-4 that concerns the transfer of information between the organizations.
I'd like to first say I think it's very commendable to have a bill that seeks to protect the elderly and young people when they are sharing information online. But I am troubled by the total lack of oversight when it comes to public institutions sharing information among one another, including law enforcement agencies. The information is being shared without the individual's consent or any monitoring. There is an absence of any civil liability in that regard.
Don't you think the bill should be amended to address that? The Privacy Commissioner is involved, especially when it's a matter of security, but in other cases, as I just pointed out, the information is being shared without any oversight.
Deputy Minister, Department of Industry
That's a very good question. We'll explain to you how that can be addressed.
Generally, I think the four following criteria are now applied.
Is it an issue that concerns the private sector?
Is there really a risk of fraud or of a problem arising between the companies and does it affect Canadians?
Also applicable is the test of reasonableness.
So it's not fair to say that there are no such provisions to that effect.
I will ask Christopher to explain.