Thank you, Mr. Chairman and members of the committee. The Chamber of Commerce appreciates the opportunity to address you on the subject of Bill S-4 and the changes that are proposed for the Personal Information Protection and Electronic Documents Act.
There has been much effort exerted in crafting this bill. As you're aware, there have been several iterations of it over the past few years. This is certainly not the first attempt at making changes to what is arguably the envy of other countries that are now just waking up to the principle of accountability.
This is principles-based regulation, and it provides guidance to business regarding their privacy obligations, avoiding overly prescriptive rules while at the same time permitting the necessary level of flexibility that leads to innovation.
In short, PIPEDA is a balance. Making legislative change without tipping that balance is a delicate matter. We would argue that the changes proposed in Bill S-4 are a successful attempt at maintaining the balance. The recommendations I'm going to be providing are very much procedural in nature and are not intended to fundamentally alter the spirit or intent of the bill. I'd like to characterize my comments as an opportunity to draw the committee's attention to specific provisions of the government's proposal that might benefit from targeted revisions that would align the changes to current industry practices while still meeting the government's objectives.
We support the objectives of Bill S-4 and the various proposed changes to PIPEDA that will bring some additional certainty and improvements to the overall PIPEDA framework, such as the new provisions regarding disclosure of personal information in the course of business transactions. These would broaden the scope of the exemption for business contact information to cover any information that is used to communicate or facilitate communication with an individual for business, employment, or professional purposes.
We are proposing targeted changes in four specific areas: one, valid consent; two, breach notification thresholds and record keeping; three, public disclosures; and four and perhaps most important, network information security.
The new valid consent provision in Bill S-4 denotes an obligation on organizations to pay particular attention to vulnerable individuals. While this is principles-based and broad in scope, the narrative around this provision has focused on specific categories of individuals. We see this as a concern for organizations that market broadly.
We also see it as unnecessary. I think you heard from the Privacy Commissioner this morning as well that this is a provision that, while he suggests it may be useful, isn't necessarily required. Section 5 of the act obligates every organization to comply with the model code, which is schedule 1. Section 4.3.2 of the model code says that for consent to be meaningful, “the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed”. In our view, this principles-based approach already captures the intent of Bill S-4, and we think the bill could be improved by simply deleting that clause.
The objective of notifying individuals in order to mitigate the risk of significant harm is quite different from the objective of notifying the Office of the Privacy Commissioner in order to catalogue breaches. This distinction is captured in the OPC guidelines from 2007 that define a real risk of significant harm and what constitutes a material breach. This dual threshold has been in practice for over a decade and is working well. In these cases there is no material breach, and the OPC reporting requirement would be onerous for both the organization and the OPC.
We encourage language that allows organizations to assess the risks associated with a breach and the OPC to issue guidance on what constitutes a material breach that triggers a reporting requirement, in other words, the existing regime.
Because there is no definition of what constitutes a material breach, record keeping is also problematic. Many occurrences, such as an unlocked filing cabinet with employee records, technically constitute a breach but have no material consequences. Keeping records in the prescribed manner for an unspecified time period when there is no impact on the privacy of an individual and the failure to keep those records constitutes a criminal offence is an unreasonable burden on organizations.
Also, with respect to what constitutes a material breach, we note that the compliance agreements should be directly linked to and focused on the requirements of PIPEDA to ensure transparency and clarity in the act regarding what companies must do to avoid finding themselves in a situation that might warrant a compliance agreement in the first place.
As drafted, proposed new section 17.1 raises concerns that overly broad language, for example, “any terms”, could result in potential jurisdictional overreach by the Privacy Commissioner. This limitation should be accompanied by a reasonable notice period.
Also, in clause 17, we are concerned that an exception to the general prohibition on disclosure granted to the Privacy Commissioner is out of step with other Canadian statutes, such as the Competition Act, and may have the unintended consequence of undermining current cooperative relationships and information sharing.
I've just spoken about the modifications we're recommending. We believe there's one very important omission in Bill S-4 that does warrant your consideration, which brings me to network information and security. The average number of days that a threat can reside on a network undetected is 229, and networks extend beyond individual organizations.
On February 13, President Obama issued an executive order calling for improved private sector cybersecurity information. This order recognizes that countering cyberthreats, private companies, not-for-profit organizations, executive departments and agencies of the government, and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible. We believe the same mechanisms are necessary here in Canada.
While proposals under Bill S-4 provide some limited exceptions to allow for collection, use, and disclosure of personal information, changes are needed to provide organizations with a legal certainty to effectively manage these threats. We are interpreting that network information security processing falls within the scope of PIPEDA since data processed for network information security purposes is often personal information like a name, an IP address of a botnet zombie computer, or an e-mail address. We are essentially asking for a clear-cut exception for network security information processing so that organizations have legal certainty and aren't forced to curtail network information security processing or operate in a legal grey area.
Our specific recommendations for text changes were submitted by the Canadian Chamber of Commerce on behalf of a coalition of businesses and organizations, and I urge you to consider those recommendations in the spirit of crafting the most effective privacy legislation.
Thank you for your consideration.