Industry Committee on Feb. 17th, 2015

Thank you, Mr. Chair. Good morning, members of the committee.

Thank you for the invitation to present our views on Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act.

With me today are Patricia Kosseim, senior general counsel, and Carman Baggaley, senior policy analyst.

Ms. Kosseim and Mr. Baggaley appeared before the Standing Senate Committee on Transport and Communications on Bill S-4, shortly before my appointment as Privacy Commissioner was confirmed. My views on Bill S-4 are largely in line with the office's position as presented at that time.

I will however be addressing in more detail the proposed amendment that allows organizations to disclose personal information to other organizations without consent. I will also discuss paragraph 7(3)(c.1) disclosures in light of the Supreme Court's Spencer decision.

Let me first say that I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill.

Proposals such as breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians in their dealings with private sector companies.

Mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information. I support the risk-based approach that will require organizations to assess the seriousness of each incident and its impact on affected individuals.

I believe that the organization experiencing the breach is in the best position to assess risk and decide whether notification of individuals is warranted. Requiring organizations to keep a record of breaches and provide a copy to my office upon request will give my office an important oversight function with respect to how organizations are complying with the requirement to notify.

The proposed voluntary compliance agreements will enhance my office's ability to ensure, in a timely and cost-effective manner, that organizations are meeting their commitments to improve their privacy practices without having to resort to costly litigation before the Federal Court in conditionally resolved cases.

As for the proposed provision that aims to enhance the concept of valid consent, I believe that this is a useful clarification of what constitutes meaningful consent under PIPEDA. It underscores the need for organizations to clearly specify what personal information they're collecting and why in a manner that is suited to the target audience.

While I support many of the amendments proposed in this bill, I nevertheless have strong reservations about proposed paragraphs 7(3)(d.1) and (d.2). These proposed provisions would allow an organization to disclose personal information without consent to another organization in certain circumstances. My concerns are twofold.

First, I believe that the investigative body regime as it currently exists in PIPEDA and which paragraph 7(3)(d.1) and (d.2) seek to replace provides important transparency and accountability safeguards that will disappear with the proposed amendments.

Currently under PIPEDA, organizations can disclose personal information without consent to investigative bodies designated through a transparent governor in council process. The list of organizations with investigative body status is publicly available. Under the proposed amendments, potentially any organization will be able to collect or disclose personal information for a broad range of purposes without any mechanism to identify which organizations are collecting or disclosing the information and why.

Furthermore, the proposed provisions seek to dilute the thresholds and grounds for disclosure that currently exist under the current investigative body regime in paragraph 7(3)(d). I would prefer to maintain the existing investigative body regime. However, if that is not possible, then I would recommend keeping the existing PIPEDA thresholds found in paragraph 7(3)(d) and grounding disclosures in real problems rather than fishing expeditions.

This would mean three things: first, the threshold under paragraph 7(3)(d.1) should be based on a “reasonable grounds to believe” that the information relates to an actual breach or contravention; second, the threshold under paragraph 7(3)(d.2) should be based on a “reasonable grounds to believe” that the information relates to the detection or suppression of fraud that “has been, is being or is about to be committed”; and third, disclosures under paragraphs 7(3)(d.1) and 7(3)(d.2) should only be permitted on the initiative of the disclosing organization.

In addition a mechanism for enhancing transparency and accountability around these disclosures would be needed. For example, disclosing organizations could be required to issue transparency reports and to document the analyses undertaken in deciding to disclose under these provisions.

Finally, I would like to address the Spencer decision and how I believe it impacts paragraph 7(3)(c.1 ) of PIPEDA.

ln the Spencer decision, the Supreme Court held that police need a warrant or a court order when seeking subscriber information from an organization subject to the act.

ln the court's view, there is a reasonable expectation of privacy in subscriber information connected with online activity and the police request that the organization voluntarily disclose this information constituted a search that violated the Charter. I believe that this decision is a significant step forward in protecting privacy, but it leaves unanswered the question of what types of information attract a reasonable expectation of privacy and the related question of when organizations may voluntarily disclose other types of information in response to a police request.

As a result, organizations are left in a state of uncertainty and ambiguity as to when they may or may not disclose personal information without warrant and it leaves individuals in the dark about when their personal information may be disclosed to state authorities without their consent or prior judicial authorization.

I would therefore urge the committee to recommend putting an end to this state of ambiguity by clarifying when, post-Spencer, the common law policing powers to obtain information without a warrant may still be used. I believe that a legal framework, based on the Spencer decision, is needed to provide clarity and guidance to help organizations comply with PIPEDA and ensure that state authorities respect the Supreme Court of Canada's decision.

More specifically, I would recommend that Parliament provide greater clarity and transparency by amending PIPEDA to define “lawful authority” for the purposes of paragraph 7(3)(c.1) in line with the Supreme Court's decision, that is, where there are exigent circumstances, pursuant to a reasonable law other than paragraph 7(3)(c.1), or in prescribed circumstances where personal information would not attract a reasonable expectation of privacy.

Thank you for your attention. I would be happy to answer any questions you may have.

Certainly several years ago. I understand this bill is the outcome of a five-year review of PIPEDA called for in the original legislation.

Certainly I support the bill, subject to two amendments, but generally I support this bill.

Some of the provisions in this bill are overdue in my opinion, particularly the requirement for mandatory notification in the case of breaches.

As to the date....

The last round of amendments to PIPEDA would have come into force with the CASL legislation that made consequential amendments to PIPEDA in light of the anti-spam legislation. I believe that may have been the last time, but certainly there was no full review as per the requirement of the act.

I think there are two main amendments that are very necessary and that will be helpful for us to implement and apply.

I refer to the obligation imposed on organizations to notify the OPC and the concerned individuals in the case of data breaches. We know from media reports and other information that data breaches are an important and growing phenomenon both for public and private institutions, and we think it will be an important progress in PIPEDA to have this regime of mandatory breach notification.

We think, obviously, that there will be repercussions on resources. We currently have a voluntary notification process applicable to private organizations in the case of breaches. From year to year we see there are fluctuating numbers, but there are approximately 60 notifications under that regime. We expect that the number will increase significantly with mandatory breach notification. That was the experience in Alberta when the voluntary scheme became mandatory. There will be an impact for sure. Overall, we think that this is a very positive development.

In addition to that, a second major amendment that I would mention has to do with compliance agreements. We seek to work with organizations to promote compliance with PIPEDA. This means in some circumstances that following complaints, we engage in discussions with organizations on resolving complaints conditionally, meaning that organizations change their practices in order to be more compliant with PIPEDA. The mechanism of compliance agreements would further enhance that capacity.

Currently, PIPEDA is based in large part on the concept that information is to be collected and used with the consent of the individual to whom it pertains, and that deals with a private organization. That concept is not defined; nevertheless, it has been the subject of many investigations and pronouncements by the office.

We think that the proposed definition of consent would be useful. It may not be absolutely necessary; we already have a concept that is workable, but I think it would be useful to further clarify that consent is to be evaluated from the perspective of the person whose consent is invoked. Organizations would be asked to put themselves in the shoes of the various clientele from whom they are collecting information so that consent is as meaningful as possible.

That would be useful.

Thank you for the question.

Frankly, I haven't read the amendment proposed in the B.C. legislation, so I can't comment on that particular formulation, but I'll say a few things.

Point one, the Spencer decision is a huge development for privacy law. It is very helpful; it has set already very good parameters for the collection of information without warrants, by prescribing that police agencies—the state—need a warrant to collect information when that information relates to the activities and interests of individuals on the Internet. That is already a very good starting point.

There is an issue, though, that has not been clarified by the Supreme Court, nor could it be, I think. It left the possibility of the collection of information without warrant when there is no reasonable expectation of privacy.

Following Spencer, we have heard from various private organizations how they intend to apply this, and we have seen variances. We've also seen various interpretations of it by government departments.

That brings me to the view that we're starting from a very good starting point with the Supreme Court's decision, but given the ambiguity and the different interpretations given by private organizations and government departments, I think it would be useful if Parliament were to provide clarity, in having a regime that would set out, explain, define in what circumstances there is no reasonable expectation of privacy. With this, ultimately Canadians would have a much better sense of what type of information and in what circumstances the information they put on the Internet might be collected without warrants by state authorities.

Yes. The number fluctuates, but it's roughly 60.

Yes.

The requirement in question would require organizations to keep records of data breaches of any kind. We will be able to review their records to determine whether or not appropriate breach notification has occurred, and it will allow us to determine trends generally on the issues so that better advice can be given to organizations and individuals.

In part this provision that you're referring to will allow us to determine whether the organizations are complying with mandatory breach notifications. If they are not, in the worst-case scenarios, we could advise police authorities and the Attorney General so that prosecutions could be made against these organizations. So it's a clear incentive for organizations to comply with the requirement.

The corporations would have the obligation, and we would have the ability to review these records.