Industry Committee on Feb. 17th, 2015

I'm not aware one way or the other whether they're having problems with these provisions.

That's correct, but as I've stated, the thresholds issue particularly makes me concerned that organizations would be able to share information for potential breaches or fraud cases that may not have materialized. That is a concern, a very real concern for me.

I have no information to that effect, no.

No, I would disagree with that. I think there is a fairly big difference between the proposed regime which would be authorizing organizations to share information for the purpose of investigating potential breaches versus the current regime where information can be shared only when an organization has reason to believe that there is a breach.

The difference is between investigating potential breaches or potential risk that a company thinks may be vulnerable to criminal activities, but without any evidence that there is such activity happening versus the current regime that requires reasonable grounds to believe that there is actually illegal activity occurring.

“Likely” refers to a potential breach, so a breach that in the eyes of the organization is likely to occur but has not yet been seen.

At the end of the day, I think the difference is between allowing organizations to share for potential breaches not yet seen versus the current regime which requires that the breach has been seen or is occurring. There is a big difference in my opinion.

There is an annual meeting of federal and provincial privacy commissioners. We do work jointly on a regular basis. Guidance is often provided jointly so that there is consistency in what organizations receive.

So absolutely, we work in a very cooperative fashion with provincial commissioners, in part with a view to ensure greater efficiency.

Thank you, Mr. Chairman and members of the committee. The Chamber of Commerce appreciates the opportunity to address you on the subject of Bill S-4 and the changes that are proposed for the Personal Information Protection and Electronic Documents Act.

There has been much effort exerted in crafting this bill. As you're aware, there have been several iterations of it over the past few years. This is certainly not the first attempt at making changes to what is arguably the envy of other countries that are now just waking up to the principle of accountability.

This is principles-based regulation, and it provides guidance to business regarding their privacy obligations, avoiding overly prescriptive rules while at the same time permitting the necessary level of flexibility that leads to innovation.

In short, PIPEDA is a balance. Making legislative change without tipping that balance is a delicate matter. We would argue that the changes proposed in Bill S-4 are a successful attempt at maintaining the balance. The recommendations I'm going to be providing are very much procedural in nature and are not intended to fundamentally alter the spirit or intent of the bill. I'd like to characterize my comments as an opportunity to draw the committee's attention to specific provisions of the government's proposal that might benefit from targeted revisions that would align the changes to current industry practices while still meeting the government's objectives.

We support the objectives of Bill S-4 and the various proposed changes to PIPEDA that will bring some additional certainty and improvements to the overall PIPEDA framework, such as the new provisions regarding disclosure of personal information in the course of business transactions. These would broaden the scope of the exemption for business contact information to cover any information that is used to communicate or facilitate communication with an individual for business, employment, or professional purposes.

We are proposing targeted changes in four specific areas: one, valid consent; two, breach notification thresholds and record keeping; three, public disclosures; and four and perhaps most important, network information security.

The new valid consent provision in Bill S-4 denotes an obligation on organizations to pay particular attention to vulnerable individuals. While this is principles-based and broad in scope, the narrative around this provision has focused on specific categories of individuals. We see this as a concern for organizations that market broadly.

We also see it as unnecessary. I think you heard from the Privacy Commissioner this morning as well that this is a provision that, while he suggests it may be useful, isn't necessarily required. Section 5 of the act obligates every organization to comply with the model code, which is schedule 1. Section 4.3.2 of the model code says that for consent to be meaningful, “the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed”. In our view, this principles-based approach already captures the intent of Bill S-4, and we think the bill could be improved by simply deleting that clause.

The objective of notifying individuals in order to mitigate the risk of significant harm is quite different from the objective of notifying the Office of the Privacy Commissioner in order to catalogue breaches. This distinction is captured in the OPC guidelines from 2007 that define a real risk of significant harm and what constitutes a material breach. This dual threshold has been in practice for over a decade and is working well. In these cases there is no material breach, and the OPC reporting requirement would be onerous for both the organization and the OPC.

We encourage language that allows organizations to assess the risks associated with a breach and the OPC to issue guidance on what constitutes a material breach that triggers a reporting requirement, in other words, the existing regime.

Because there is no definition of what constitutes a material breach, record keeping is also problematic. Many occurrences, such as an unlocked filing cabinet with employee records, technically constitute a breach but have no material consequences. Keeping records in the prescribed manner for an unspecified time period when there is no impact on the privacy of an individual and the failure to keep those records constitutes a criminal offence is an unreasonable burden on organizations.

Also, with respect to what constitutes a material breach, we note that the compliance agreements should be directly linked to and focused on the requirements of PIPEDA to ensure transparency and clarity in the act regarding what companies must do to avoid finding themselves in a situation that might warrant a compliance agreement in the first place.

As drafted, proposed new section 17.1 raises concerns that overly broad language, for example, “any terms”, could result in potential jurisdictional overreach by the Privacy Commissioner. This limitation should be accompanied by a reasonable notice period.

Also, in clause 17, we are concerned that an exception to the general prohibition on disclosure granted to the Privacy Commissioner is out of step with other Canadian statutes, such as the Competition Act, and may have the unintended consequence of undermining current cooperative relationships and information sharing.

I've just spoken about the modifications we're recommending. We believe there's one very important omission in Bill S-4 that does warrant your consideration, which brings me to network information and security. The average number of days that a threat can reside on a network undetected is 229, and networks extend beyond individual organizations.

On February 13, President Obama issued an executive order calling for improved private sector cybersecurity information. This order recognizes that countering cyberthreats, private companies, not-for-profit organizations, executive departments and agencies of the government, and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible. We believe the same mechanisms are necessary here in Canada.

While proposals under Bill S-4 provide some limited exceptions to allow for collection, use, and disclosure of personal information, changes are needed to provide organizations with a legal certainty to effectively manage these threats. We are interpreting that network information security processing falls within the scope of PIPEDA since data processed for network information security purposes is often personal information like a name, an IP address of a botnet zombie computer, or an e-mail address. We are essentially asking for a clear-cut exception for network security information processing so that organizations have legal certainty and aren't forced to curtail network information security processing or operate in a legal grey area.

Our specific recommendations for text changes were submitted by the Canadian Chamber of Commerce on behalf of a coalition of businesses and organizations, and I urge you to consider those recommendations in the spirit of crafting the most effective privacy legislation.

Thank you for your consideration.

Thank you very much, Mr. Chairman.

Again, I'd like to apologize on behalf of my colleague Mr. Hill, who was delayed twice this morning on a plane. We all know what it's like travelling in this great country of ours at this time of year.

Thank you to the committee for the invitation to appear before you today, to comment on the digital privacy act, or Bill S-4.

The Canadian Marketing Association, or CMA, is the largest marketing association in Canada, with some 800 corporate members embracing Canada's major business sectors in all marketing disciplines, channels, and technologies.

The CMA is the national voice for the Canadian marketing community, and our advocacy efforts aim to promote an environment in which ethical marketing can succeed. With a few caveats, the CMA supports the government's initiative to update Canada's private sector privacy law. I should highlight two elements of particular importance to marketers.

First, the digital privacy act clarifies the definition of business contact information, so that electronic business addresses are treated in a manner consistent with that found in other privacy laws. This is an important and welcome change which businesses requested during the last review of PIPEDA.

Second are the breach notification provisions. During the last PIPEDA review, the CMA encouraged the Privacy Commissioner to develop national breach notification guidelines, which were issued in 2007, after consultation with stakeholders. The S-4 breach provisions build on those guidelines and will bolster consumer confidence that organizations will safeguard their personal information. This is especially important in 2015, when so much of our commerce occurs through digital channels.

We agree with the views and proposals presented by the Chamber of Commerce. I'd like to elaborate, however, on two of the issues addressed by my colleague.

First, proposed section 10.3 in the bill requires that organizations keep and maintain a record of every breach of security safeguards involving personal information under its control. This is of some concern, because the term “breach” is very broad, and there can be many technical breaches that could include any unauthorized access or disclosure of personal information no matter how mundane or non-sensitive.

There's no mention in this record-keeping requirement of a standard of materiality. All breaches will have to be diligently logged in a prescribed manner, even when there is clearly no risk. This could become an onerous obligation for businesses, especially for small and medium-sized businesses.

It creates several other challenges for organizations. There's the cost of gathering and storing that information. It also runs counter to good privacy practices to unnecessarily retain such personal information, especially for what appears to be an indefinite period of time.

Finally, one of the issues with this record-keeping concern is that it's one of the very few provisions in PIPEDA a violation of which constitutes an offence over the act. Consistent with what Mr. Therrien said this morning about how businesses have approached reporting breach notifications, I think you will also have a situation here in which we may have overcollection because businesses want to be onside with the law. As well, a great deal of effort and material will be spent cataloguing very minor breaches.

The CMA recommends that a materiality threshold be introduced as outlined in the business coalition brief. At a minimum, it's very important that the materiality threshold and retention period be addressed, first with a reference in the law, and then possibly through a more detailed regulation.

The second issue I'd like to talk about is clause 5, which proposes a new section 6.1, which elaborates on the definition of what it means to obtain valid consent. The minister has explained that this clause is intended to reinforce existing best practices, to protect certain groups, such as children, who may have more difficulty understanding privacy and related consent language.

Incidentally, the CMA has long required that its members afford special consideration for young people. The OPC, has also noted favourably how the CMA code of ethics and standards of practice puts in place special consent provisions for the collection, use, and disclosure of personal information from children and teenagers for marketing purposes.

However, in addition, the OPC has already, under the existing wording, issued decisions requiring that extra care be exercised to ensure that young people understand an organization's privacy practices, and has further produced guidelines indicating that organizations should recognize and adapt to special considerations in managing the personal information of children and youth.

There's a presumption, as you would well know, in statutory interpretation that each provision is supposed to do something. It's often said that the legislatures don't speak in vain. The question here is, what does this new provision do? If we already have a provision that requires generally that individuals understand what their information is being used for and give consent based on that knowledge, what additional does this do?

I think the concern here is that the clause, as written, could lead to a broad interpretation with additional obligations. We've heard that the concern is about children and vulnerable groups. However, that's not what the bill says. It's much broader than that, and we would like some clarification of that bill.

Actually, our recommendation would be to drop this clause or, as a fallback, to amend it to clarify that it is intended to apply only to vulnerable groups.

Canadian marketers and the CMA fully recognize that consumer confidence is of paramount importance and that respect for personal information is a key ingredient. The preamble to PIPEDA states that the law is intended to promote electronic commerce by protecting personal information. Sound privacy protection practice is good for consumers, good for businesses, and good for our economy.

We thank the committee for its attention and would be pleased to answer any questions you might have.

Thank you for that question, Mr. Lake.

The concern is that we already have language in the law which says that to make a consent meaningful, the purposes must be stated in such a way that the individual can reasonably understand how the information will be used or disclosed. What we're trying to understand is what additional requirement is being proposed under this consent, particularly given that we've already had decisions out of the OPC and guidance issued particularly about vulnerable groups.

The concern is, how far does this go?

I think the industry accepts, particularly when you're dealing with children and youth, that you need to have privacy policies worded in such a way that they would be reasonably understandable by that audience.

But how far does it go? If I have a multitude of sites, and for operational reasons I'd obviously like to have a single privacy policy for each one, how granular do I have to be? If one of my sites is directed at hockey fans, do I have to do survey research to tailor that to hockey fans because they might have a different way of understanding the way things are presented? If I'm a game manufacturer and I have a role-playing game and I have something like Candy Crush and I also have a word game, do I have to have something different for each of those? I think this is what we're concerned about.

Exactly. But if your target market is adults in both cases—