Evidence of meeting #34 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was organizations.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Patricia Kosseim  Senior General Counsel and Director General, Legal Services, Policy and Research, Office of the Privacy Commissioner of Canada
Scott Smith  Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
David Elder  Special Digital Privacy Counsel, Canadian Marketing Association
Wally Hill  Senior Vice President, Government and Consumer Affairs, Canadian Marketing Association

11 a.m.

Conservative

The Chair Conservative David Sweet

Good morning, ladies and gentlemen.

Welcome to the 34th meeting of the Standing Committee on Industry, Science and Technology where pursuant to the order of reference of Monday, October 20, 2014, Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act, is what our study is right now.

We are grateful to have before us the Privacy Commissioner of Canada, Daniel Therrien. With him are Patricia Kosseim and Carman Baggaley.

We have a second panel at noon, colleagues, so we will begin with the Privacy Commissioner's testimony and then our rounds of questions.

Mr. Commissioner.

11 a.m.

Daniel Therrien Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Thank you, Mr. Chair. Good morning, members of the committee.

Thank you for the invitation to present our views on Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act.

With me today are Patricia Kosseim, senior general counsel, and Carman Baggaley, senior policy analyst.

Ms. Kosseim and Mr. Baggaley appeared before the Standing Senate Committee on Transport and Communications on Bill S-4, shortly before my appointment as Privacy Commissioner was confirmed. My views on Bill S-4 are largely in line with the office's position as presented at that time.

I will however be addressing in more detail the proposed amendment that allows organizations to disclose personal information to other organizations without consent. I will also discuss paragraph 7(3)(c.1) disclosures in light of the Supreme Court's Spencer decision.

Let me first say that I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill.

Proposals such as breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians in their dealings with private sector companies.

Mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information. I support the risk-based approach that will require organizations to assess the seriousness of each incident and its impact on affected individuals.

I believe that the organization experiencing the breach is in the best position to assess risk and decide whether notification of individuals is warranted. Requiring organizations to keep a record of breaches and provide a copy to my office upon request will give my office an important oversight function with respect to how organizations are complying with the requirement to notify.

The proposed voluntary compliance agreements will enhance my office's ability to ensure, in a timely and cost-effective manner, that organizations are meeting their commitments to improve their privacy practices without having to resort to costly litigation before the Federal Court in conditionally resolved cases.

As for the proposed provision that aims to enhance the concept of valid consent, I believe that this is a useful clarification of what constitutes meaningful consent under PIPEDA. It underscores the need for organizations to clearly specify what personal information they're collecting and why in a manner that is suited to the target audience.

While I support many of the amendments proposed in this bill, I nevertheless have strong reservations about proposed paragraphs 7(3)(d.1) and (d.2). These proposed provisions would allow an organization to disclose personal information without consent to another organization in certain circumstances. My concerns are twofold.

First, I believe that the investigative body regime as it currently exists in PIPEDA and which paragraph 7(3)(d.1) and (d.2) seek to replace provides important transparency and accountability safeguards that will disappear with the proposed amendments.

Currently under PIPEDA, organizations can disclose personal information without consent to investigative bodies designated through a transparent governor in council process. The list of organizations with investigative body status is publicly available. Under the proposed amendments, potentially any organization will be able to collect or disclose personal information for a broad range of purposes without any mechanism to identify which organizations are collecting or disclosing the information and why.

Furthermore, the proposed provisions seek to dilute the thresholds and grounds for disclosure that currently exist under the current investigative body regime in paragraph 7(3)(d). I would prefer to maintain the existing investigative body regime. However, if that is not possible, then I would recommend keeping the existing PIPEDA thresholds found in paragraph 7(3)(d) and grounding disclosures in real problems rather than fishing expeditions.

This would mean three things: first, the threshold under paragraph 7(3)(d.1) should be based on a “reasonable grounds to believe” that the information relates to an actual breach or contravention; second, the threshold under paragraph 7(3)(d.2) should be based on a “reasonable grounds to believe” that the information relates to the detection or suppression of fraud that “has been, is being or is about to be committed”; and third, disclosures under paragraphs 7(3)(d.1) and 7(3)(d.2) should only be permitted on the initiative of the disclosing organization.

In addition a mechanism for enhancing transparency and accountability around these disclosures would be needed. For example, disclosing organizations could be required to issue transparency reports and to document the analyses undertaken in deciding to disclose under these provisions.

Finally, I would like to address the Spencer decision and how I believe it impacts paragraph 7(3)(c.1 ) of PIPEDA.

ln the Spencer decision, the Supreme Court held that police need a warrant or a court order when seeking subscriber information from an organization subject to the act.

ln the court's view, there is a reasonable expectation of privacy in subscriber information connected with online activity and the police request that the organization voluntarily disclose this information constituted a search that violated the Charter. I believe that this decision is a significant step forward in protecting privacy, but it leaves unanswered the question of what types of information attract a reasonable expectation of privacy and the related question of when organizations may voluntarily disclose other types of information in response to a police request.

As a result, organizations are left in a state of uncertainty and ambiguity as to when they may or may not disclose personal information without warrant and it leaves individuals in the dark about when their personal information may be disclosed to state authorities without their consent or prior judicial authorization.

I would therefore urge the committee to recommend putting an end to this state of ambiguity by clarifying when, post-Spencer, the common law policing powers to obtain information without a warrant may still be used. I believe that a legal framework, based on the Spencer decision, is needed to provide clarity and guidance to help organizations comply with PIPEDA and ensure that state authorities respect the Supreme Court of Canada's decision.

More specifically, I would recommend that Parliament provide greater clarity and transparency by amending PIPEDA to define “lawful authority” for the purposes of paragraph 7(3)(c.1) in line with the Supreme Court's decision, that is, where there are exigent circumstances, pursuant to a reasonable law other than paragraph 7(3)(c.1), or in prescribed circumstances where personal information would not attract a reasonable expectation of privacy.

Thank you for your attention. I would be happy to answer any questions you may have.

11:10 a.m.

Conservative

The Chair Conservative David Sweet

Thank you very much, Commissioner, for your testimony.

Colleagues, based on the time we have, we'll do our ususal when we have two panels, which is five minutes each.

We'll begin with Mr. Lake.

11:10 a.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

Thank you to the witnesses for coming today.

Mr. Therrien, when was the last time PIPEDA was changed?

11:10 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Certainly several years ago. I understand this bill is the outcome of a five-year review of PIPEDA called for in the original legislation.

Certainly I support the bill, subject to two amendments, but generally I support this bill.

Some of the provisions in this bill are overdue in my opinion, particularly the requirement for mandatory notification in the case of breaches.

As to the date....

11:10 a.m.

Patricia Kosseim Senior General Counsel and Director General, Legal Services, Policy and Research, Office of the Privacy Commissioner of Canada

The last round of amendments to PIPEDA would have come into force with the CASL legislation that made consequential amendments to PIPEDA in light of the anti-spam legislation. I believe that may have been the last time, but certainly there was no full review as per the requirement of the act.

11:10 a.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

It has been several years since we went this deep into PIPEDA as a Parliament.

In terms of the work that your office does, how will the legislation as proposed right now change the operations of your office?

11:10 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I think there are two main amendments that are very necessary and that will be helpful for us to implement and apply.

I refer to the obligation imposed on organizations to notify the OPC and the concerned individuals in the case of data breaches. We know from media reports and other information that data breaches are an important and growing phenomenon both for public and private institutions, and we think it will be an important progress in PIPEDA to have this regime of mandatory breach notification.

We think, obviously, that there will be repercussions on resources. We currently have a voluntary notification process applicable to private organizations in the case of breaches. From year to year we see there are fluctuating numbers, but there are approximately 60 notifications under that regime. We expect that the number will increase significantly with mandatory breach notification. That was the experience in Alberta when the voluntary scheme became mandatory. There will be an impact for sure. Overall, we think that this is a very positive development.

In addition to that, a second major amendment that I would mention has to do with compliance agreements. We seek to work with organizations to promote compliance with PIPEDA. This means in some circumstances that following complaints, we engage in discussions with organizations on resolving complaints conditionally, meaning that organizations change their practices in order to be more compliant with PIPEDA. The mechanism of compliance agreements would further enhance that capacity.

11:10 a.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

I have one minute to talk about valid consent. I know that it doesn't apply specifically just to kids, but a lot parents would be interested in some of the changes being made in that area.

Could you give an example of the type of thing that we're dealing with when we talk about enhancing the concept of valid consent?

11:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Currently, PIPEDA is based in large part on the concept that information is to be collected and used with the consent of the individual to whom it pertains, and that deals with a private organization. That concept is not defined; nevertheless, it has been the subject of many investigations and pronouncements by the office.

We think that the proposed definition of consent would be useful. It may not be absolutely necessary; we already have a concept that is workable, but I think it would be useful to further clarify that consent is to be evaluated from the perspective of the person whose consent is invoked. Organizations would be asked to put themselves in the shoes of the various clientele from whom they are collecting information so that consent is as meaningful as possible.

That would be useful.

11:15 a.m.

Conservative

The Chair Conservative David Sweet

Okay, thank you, Mr. Commissioner.

Now we go to Ms. Nash for five minutes.

11:15 a.m.

NDP

Peggy Nash NDP Parkdale—High Park, ON

Thank you.

My thanks to you, Mr. Therrien, and to your team for joining us today to give testimony before our committee.

I have two questions that I hope I have time for.

The first concerns the point that you made to ensure that this legislation is compliant with the R. v. Spencer decision, and like you, we support the need for this legislation and believe that it is long overdue.

In your testimony, you argued for better clarity for organizations around disclosure and also clarification for individuals. The British Columbia Legislative Assembly has just published a report on their review of their Personal Information Protection Act, PIPA, in which they suggest amending articles in the bill that allow for voluntary warrantless disclosure, very similar to the articles in PIPEDA, and they are doing this as a response to this court decision, fearing a charter challenge.

Do you think that adds weight to your recommendation that the government should avoid any potential court challenge and amend this legislation to reflect the concerns that you raised here before the committee?

11:15 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Thank you for the question.

Frankly, I haven't read the amendment proposed in the B.C. legislation, so I can't comment on that particular formulation, but I'll say a few things.

Point one, the Spencer decision is a huge development for privacy law. It is very helpful; it has set already very good parameters for the collection of information without warrants, by prescribing that police agencies—the state—need a warrant to collect information when that information relates to the activities and interests of individuals on the Internet. That is already a very good starting point.

There is an issue, though, that has not been clarified by the Supreme Court, nor could it be, I think. It left the possibility of the collection of information without warrant when there is no reasonable expectation of privacy.

Following Spencer, we have heard from various private organizations how they intend to apply this, and we have seen variances. We've also seen various interpretations of it by government departments.

That brings me to the view that we're starting from a very good starting point with the Supreme Court's decision, but given the ambiguity and the different interpretations given by private organizations and government departments, I think it would be useful if Parliament were to provide clarity, in having a regime that would set out, explain, define in what circumstances there is no reasonable expectation of privacy. With this, ultimately Canadians would have a much better sense of what type of information and in what circumstances the information they put on the Internet might be collected without warrants by state authorities.

11:20 a.m.

NDP

Peggy Nash NDP Parkdale—High Park, ON

Thank you. That's helpful. The minister said that he thought the existing bill was already compliant with R. v. Spencer, so that information is helpful.

I also want to ask you, because you argued for the existing investigative body regime under paragraph 7(3)(d), but described another potential approach, to tell me why the current regime of oversight is preferable, in your view.

11:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

It's for two reasons, essentially.

Point one, I totally agree that there needs to be provision in PIPEDA allowing organizations to address the issue of fraud or breaches of agreements that they may face. The question is how to do it. The current regime, I think, is preferable to what is proposed in Bill S-4 in that, first, it does not allow for fishing expeditions, so that the threshold for the suspicion an organization has that there might be fraud involved is at a higher level, which I think is preferable. Second, the investigative body regime calls for transparency and publicity—we know what the investigative bodies are—as opposed to the proposed modifications whereby any organization could share information with any other organization, so that there would be less transparency, as well as room ultimately for fishing expeditions.

11:20 a.m.

Conservative

The Chair Conservative David Sweet

That's all the time we have there.

We'll go to Mr. Carmichael for five minutes.

11:20 a.m.

Conservative

John Carmichael Conservative Don Valley West, ON

Good morning to you and your colleagues, Commissioner.

Commissioner, in your opening comment or, I believe, in an answer to my colleague's question, you mentioned that data breaches are a common and growing phenomenon and that annually you receive some 60 notifications.

Is that correct? Is that approximately the right number?

11:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Yes. The number fluctuates, but it's roughly 60.

11:20 a.m.

Conservative

John Carmichael Conservative Don Valley West, ON

With mandatory notification, this will increase as we go forward

11:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

11:20 a.m.

Conservative

John Carmichael Conservative Don Valley West, ON

Could you tell us how the requirement to maintain records of data breaches will increase your office's ability to provide oversight and enforce the obligation to notify individuals of data breaches that present a real risk of significant harm?

February 17th, 2015 / 11:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The requirement in question would require organizations to keep records of data breaches of any kind. We will be able to review their records to determine whether or not appropriate breach notification has occurred, and it will allow us to determine trends generally on the issues so that better advice can be given to organizations and individuals.

In part this provision that you're referring to will allow us to determine whether the organizations are complying with mandatory breach notifications. If they are not, in the worst-case scenarios, we could advise police authorities and the Attorney General so that prosecutions could be made against these organizations. So it's a clear incentive for organizations to comply with the requirement.

11:20 a.m.

Conservative

John Carmichael Conservative Don Valley West, ON

Would these records be maintained by your office, or is it the requirement of the corporations to retain those records?

11:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

The corporations would have the obligation, and we would have the ability to review these records.

11:20 a.m.

Conservative

John Carmichael Conservative Don Valley West, ON

Thank you.

I wonder if you could explain in a bit further detail, then, the new enforcement tools that will give the bill and give you and your office greater authority.