Evidence of meeting #34 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was organizations.
A recording is available from Parliament.
11:20 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I believe you are probably referring to compliance agreements—
11:20 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
—so I'll ask my colleague Madam Kosseim to answer your question.
February 17th, 2015 / 11:20 a.m.
Senior General Counsel and Director General, Legal Services, Policy and Research, Office of the Privacy Commissioner of Canada
Thank you for the question.
Currently under PIPEDA there is a requirement to complete the investigation within a prescribed time period, and there are 45 days after which either the complainant or the commissioner can proceed to court for a de novo hearing in the event that we cannot resolve a matter with an organization.
As we've experienced in practice, 45 days is a very short time period to resolve some of the highly complex technological issues or broader accountability issues that organizations quite rightly need time to rectify, so we have developed a mechanism to allow organizations the time to put in place our recommendations. We then follow up with them several months, if not a year, afterwards to ensure they did follow through on the recommendations they said they would undertake to do.
The problem is that in those circumstances, our ability to go to court can be challenged if we're outside the prescribed period. I think the compliance agreements reflect what is really an ongoing reality, which is that it takes time to resolve some of the issues, to comply with the recommendations. It would be helpful because in many cases these understandings or recommendations are undertaken with the agreement of the organizations, and it's just a matter of time.
The compliance agreements in the new bill would allow both them and us time to resolve the issue, but would still leave the door open if we need to proceed to court for enforcement.
11:25 a.m.
Conservative
The Chair Conservative David Sweet
Thank you very much, Ms. Kosseim.
Thank you very much, Mr. Carmichael.
We will now move on to Madam Sgro for five minutes.
11:25 a.m.
Liberal
Judy Sgro Liberal York West, ON
We're glad to have you here.
I have a couple of questions.
How are Canadians going to be better off with Bill S-4? We know certainly some of them...front level, but I'm concerned with some of the other possible breaches and your ability as a department to pursue them.
11:25 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think the requirement for that breach notification is a big part of it. The importance of this should not be underestimated. As I have said, and as we all know, breaches are a growing concern. With this requirement for organizations to advise both my office and individuals, we ensure, of course, that individuals are more regularly advised, and it will allow the office to analyze trends and to provide useful, practical, grounded advice to both organizations and individuals on how to reduce the risk of these data breaches. That's a big part.
Other than that, the compliance agreements will further enhance our ability to ensure compliance by organizations in a model without order-making power, but still it's a useful development to enhance these compliance mechanisms.
Consent is a big part of PIPEDA, and I think it's useful to have this clarification of what actually is consent. We obviously know that it is a huge challenge for organizations to properly advise individuals of the reasons they collect information and they use it, so any tool that enhances, that provides an incentive for organizations to be clearer, and to take into account the context of the individual or consumer I think helps Canadians.
11:25 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We have approximately 180 employees.
11:25 a.m.
Liberal
Judy Sgro Liberal York West, ON
Much of the data I see going through our various systems will often have “I accept the terms and conditions” and respect for this, that, and the rest of it.
Do you get a lot of complaints from people who didn't realize it, didn't bother to read the fine print, and expose themselves to being manipulated by the use of the data?
11:25 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Certainly, consent forms a significant part of the complaints we receive. Yes.
11:25 a.m.
Liberal
Judy Sgro Liberal York West, ON
Is there a review in your office about how that could be clarified in a simpler way so people would know what they are consenting to when they say “I accept”?
11:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We've issued a number of documents that seek to inform both organizations. We have given guidelines to organizations on this matter and also to individuals, so that exists.
We're currently having discussions with stakeholders at the OPC in trying to establish new priorities for the next few years. One of the important themes mentioned by stakeholders during these meetings is although they think the OPC has played a useful role in providing guidance in this area of consent, overwhelmingly people are saying we should play a bigger role in education.
I take that advice, and certainly it's likely to be one of the things we want to enhance in future years.
11:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I reiterate what I answered to Madam Nash, namely, yes, C-13 and S-4 on the issue of warrantless access to information create challenges and issues.
The decision of the Supreme Court in Regina v. Spencer is extremely useful and sets good parameters. I think it would be useful to go a step further and to further clarify lawful authority with a combination of the decision of the Supreme Court in Spencer plus a clarification of the circumstances where government can collect without warrant when there's no reasonable expectation of privacy. I think that would be a reasonable regime.
11:30 a.m.
Conservative
The Chair Conservative David Sweet
Thank you very much, Commissioner. That's all the time we have.
We move to Mr. Daniel for five minutes.
11:30 a.m.
Conservative
Joe Daniel Conservative Don Valley East, ON
Thank you, folks, for being here. I have some fairly fundamental questions.
First, is there a clear enough definition for you to do your job in terms of what is considered private information versus what's already available in the public domain?
11:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
One of the virtues of PIPEDA in my view is it is written in general terms, so it's conceivable that certain concepts like personal information, consent, or other concepts that are fundamental to PIPEDA might be further clarified. But on the whole I think it's better to have legislation written in general language, which allows for flexibility in application, a possibility to make the act relevant to various circumstances and to give practical advice.
11:30 a.m.
Conservative
Joe Daniel Conservative Don Valley East, ON
Thank you for that.
To follow on that, numerous companies trade in data. What do you think the implications are to these sorts of organizations in terms of privacy?
11:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think you're referring to data brokers.
11:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
That is clearly an area of concern. When individuals, consumers by and large, provide information to companies, they do so on the basis that they will receive a direct service from the company, and the agreement between the individual and the organization is information provided in return for a service.
Data brokers then collect information. They are not providing a direct service to the consumer. They are providing a service to other organizations. Individuals whose data is involved in many cases, if not in most cases, do not know of the existence of these activities, so this is clearly an area of concern that we need to pay more attention to and that other jurisdictions are paying more attention to.
11:35 a.m.
Conservative
Joe Daniel Conservative Don Valley East, ON
In your introductory speech, you also talked about the determination of risk and the risk on the data that has been breached. You've put that responsibility on the person who actually created that breach, or should I say, that was breached. Is that correct?
Don't you think that allowing the people who have actually disclosed to decide whether it should be advised to you is kind of like putting the fox among the chickens?
11:35 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
The first point I would make is that we can devise a breach notification regime in any number of ways. The one that you have in front of you is a good compromise. It's reasonable. Is there a better system conceivable? Probably. What I would ask you to do is to adopt that regime because the main point is we need mandatory breach notification.
Is it appropriate to leave organizations with the duty or the discretion to notify or not? In practical terms, we see that in Alberta, which has a similar scheme, but also federally with the voluntary breach notification that we've enforced for the past few years, organizations by and large do not under-report. They over-report. They want to report borderline cases because they don't want to be seen as under-reporting. Moreover, in Bill S-4, there will be penalties for those who under-report. Again, is this the best regime possible? Maybe, maybe not. I think it's reasonable overall and should be adopted.
11:35 a.m.
Conservative
The Chair Conservative David Sweet
Thank you, Mr. Daniel.
Ms. Papillon, go ahead. You have five minutes.
