A fine of up to $100,000 per individual is substantial and could destroy a company.
Who determines the appropriate fine, and what do we have for an appeal?
Evidence of meeting #33 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A video is available from Parliament.
Conservative
Mark Warawa Conservative Langley, BC
A fine of up to $100,000 per individual is substantial and could destroy a company.
Who determines the appropriate fine, and what do we have for an appeal?
Deputy Minister, Department of Industry
The Federal Court would determine the fine based on a number of...how frequently this has occurred. That is, like you said, an “up to” fine.
Deputy Minister, Department of Industry
I think specifically it is the Director of Public Prosecution who enforces it.
Conservative
Mark Warawa Conservative Langley, BC
So discretion is left with the courts to set a maximum fine.
On seniors' issues, the minister shared the concern that the government has on senior abuse, which is very warranted, and I agree with him. Senior abuse, though, can happen in many different forms, not necessarily within family. It can be unscrupulous business; it could be even through mail theft, or a phone scam—so many different ways.
I'm from the Vancouver area, and mail theft is a huge problem. Canada Post has changed their mailboxes to make them much more secure.
What responsibility do financial institutions have if they have mailed a new credit card to a senior and that card has been activated in fraud? Does the senior have any responsibility?
Deputy Minister, Department of Industry
I'll get Chris to help me out again, but I think the particular case you're raising is moving into the Criminal Code, as opposed to being within the purview of PIPEDA.
Having said that, under PIPEDA currently, a bank cannot contact anyone. The amendments we're providing for will allow them to do this within the specific context of financial abuse relating to the banking transactions.
Director General, Digital Policy Branch, Department of Industry
When you're getting into credit card fraud and identity theft, that falls to the Criminal Code. Like the deputy said, there's a very specific amendment here.
If you're a teller in a rural bank and you have a regular elderly customer coming in with somebody and you clearly see the customer handing off cash to them, right now PIPEDA constrains you from being able to call anybody in the family to say that you've noticed their mother coming in lately and people have been taking her money, or she's been giving money to somebody you don't know and you want to make sure they're aware of that. They can't do that now under PIPEDA. PIPEDA restricts them from being able to give out that personal information. This takes that away.
Conservative
The Chair Conservative David Sweet
Mr. Padfield, thank you very much.
Now, on to Ms. Nash for four minutes.
NDP
Peggy Nash NDP Parkdale—High Park, ON
Thank you, Mr. Chair.
Again, I want to emphasize that I think there are many provisions in this bill that Canadians are looking for and feel are long overdue, and they are happy to see. I think it's unfortunate that there are some other provisions in this bill that are creating a lot of concern. Canadians are very concerned about their digital privacy, which is why this bill is being brought in. Yet, the area of warrantless disclosure is one that has been highlighted. It was highlighted at the Senate committee. While there may be absolutely legitimate areas where it makes sense to have warrantless disclosure, it's the lack of oversight that's troubling here.
I just want to cite quickly a couple of pieces of testimony on Bill S-4. First of all, Peter Murphy, who is a partner at a Canadian law firm, Gowling Lafleur Henderson, says again there are some welcome changes in Bill S-4. But he also goes on to comment in particular on the provisions allowing for disclosure of personal information without consent between organizations in support of investigations and breaches of law agreements or fraud cases of financial abuse, and I'm quoting:
This change would seem to permit fishing expeditions by companies seeking to sue individuals. For example, copyright holders would have grounds to freely obtain lists of internet addresses of individuals to find and sue internet downloaders. This seems to be a significant invasion of privacy if reasonable controls are not added to the proposed wording.
Michael Geist, who is a law professor here at the University of Ottawa, is an expert on digital matters, and he says:
Unpack the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).
So, my question is, why is there not greater accountability, greater oversight, to ensure that this provision, if you do believe it is necessary, is not abused?
Deputy Minister, Department of Industry
The approach that we're taking here, as we've indicated, is that in the areas that we're talking about they are extremely limited and very specific. We referred earlier to the four tests. Let me talk a little more about those because I think they're relevant to the question you just raised, which is, specifically, that the sharing of information between companies cannot occur unless there truly is evidence of a real investigation, say, for example, with respect to fraud.
Also, there has to be demonstration, and it's consistent with these four tests, that if the information was not shared, the investigation that is under way would be compromised. In other words, the seeking of consent would actually compromise the investigation.
Again, we as administrators consider the changes to be in line with what other provinces are doing, and they're in line with the existing act because these provisions already exist within the act.
February 5th, 2015 / 12:50 p.m.
Conservative
Conservative
Joe Daniel Conservative Don Valley East, ON
Thank you, Chair.
Thank you, folks, once again.
My questions are always a bit skewed, I know, so we'll try to work with that. This bill has been focused very specifically on business-to-business, business transactions, etc., but there are tons of NGOs and tons of charitable organizations that have a lot of personal information. Does this bill take that into account as well? Can we do anything about that? The example is, I'm a volunteer and I go to, I don't know, the Heart and Stroke Foundation, and I take a look at all of their donor lists, and take a USB and copy it all, and use it for my own purposes or sell it to somebody.
Deputy Minister, Department of Industry
The short answer is that the bill only applies to commercial activities, so if an NGO is involved in commercial work, then this bill applies.
Director General, Digital Policy Branch, Department of Industry
If the NGO were selling products or something like that and there was a commercial aspect to it, it would apply. Generally if it's outside the commercial frame, PIPEDA does not apply.
If it's in a provincial jurisdiction, it may apply.
Conservative
Joe Daniel Conservative Don Valley East, ON
Generally, they're not selling anything per se. They're collecting money for some worthy cause, right? But there is personal information on many people in there.
Deputy Minister, Department of Industry
PIPEDA is but one act that is relevant to these privacy issues. We've talked about the Privacy Act, and it's quite different. There's the Criminal Code. That would be another important element of it.
Director General, Digital Policy Branch, Department of Industry
Privacy falls across so many pieces of legislation. Even the cyberbullying act has very specific pieces of privacy legislation there identifying specific uses or not for intimate images. That's another example of the other pieces of legislation that touch on privacy issues.
Conservative
Joe Daniel Conservative Don Valley East, ON
Say I've stolen a whole bunch of information and I'm now going to start reselling it, for whatever reason, whether it's pictures or anything else like that. Is there legislation that would criminalize me personally for doing that? I presume so. It may not be in this legislation.
Director General, Digital Policy Branch, Department of Industry
Yes, with any possession or creation of identity documents, as soon as you're getting into that kind of criminal activity, you're getting into identity theft issues that are covered by the Criminal Code.
Conservative
The Chair Conservative David Sweet
Colleagues, we're very close to our time. I think by the time we went in camera to do the business, it would be difficult to deal with it.
Madame Borg.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Mr. Chair, I have a question or, rather, a request.
Further to all of the questions and answers we've heard today, I think it would be helpful to all the committee members if the analysts could prepare something for us on the Spencer decision. I don't know if the rest of the committee would like that, but I think it would be helpful.
Conservative
The Chair Conservative David Sweet
You can request that yourself, Madame, and we will make sure that's available.
NDP
Conservative
The Chair Conservative David Sweet
We'll make sure that a brief on this is available for the members who desire it.
All right, colleagues, the small piece of business I had will be okay until the next meeting.
The meeting is adjourned.