Evidence of meeting #34 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was organizations.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Patricia Kosseim  Senior General Counsel and Director General, Legal Services, Policy and Research, Office of the Privacy Commissioner of Canada
Scott Smith  Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
David Elder  Special Digital Privacy Counsel, Canadian Marketing Association
Wally Hill  Senior Vice President, Government and Consumer Affairs, Canadian Marketing Association

12:20 p.m.

Special Digital Privacy Counsel, Canadian Marketing Association

David Elder

—adults who you have no reason to think are any different but have different characteristics, they are a different target market, how far do you have to go? I think that has been the concern.

12:20 p.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

How far do you have to go? You have to go to the point where the person would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information. That seems pretty clear.

12:20 p.m.

Conservative

The Chair Conservative David Sweet

Very briefly, Mr. Smith.

12:20 p.m.

Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

I think the second part of that question is, what constitutes vulnerable? It's not defined in the act.

12:20 p.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

So?

12:20 p.m.

Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

Okay.

Well, the other side of it is the number of instances where you have that also for companies that target broadly. For instance your social networking sites that would target everybody need different policies to be able to appeal to different people.

12:20 p.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

They're gathering information; one would hope they know who they're targeting

12:20 p.m.

Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

But they're targeting everybody.

12:20 p.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

Well, then, you know what? Everybody includes kids, and if they're not going to differentiate, I guess they have to make everything easy enough for an eight-year-old to understand.

12:20 p.m.

Conservative

The Chair Conservative David Sweet

That's all the time you have.

We will now move on to Ms. Nash.

Peggy Nash NDP Parkdale—High Park, ON

Thank you, Mr. Chair.

I'm just trying to get clear in my mind this discussion about consent.

We've heard from both of you that this presents a challenge. You've said that it's a hardship, and that it costs businesses to be compliant. You've also said that it's unnecessary because the Office of the Privacy Commissioner is currently able to ensure valid consent of minors, and that industry best practices are high enough to protect minors, as well as other groups.

If it is the case that the current provisions are adequate, and if you're convinced that this change, which the commissioner says is useful, is not going to change much, why is there any additional cost associated with it? How can it possibly be a hardship if you're saying it's not doing anything?

12:25 p.m.

Special Digital Privacy Counsel, Canadian Marketing Association

David Elder

I guess the assumption is that it must do something, otherwise Parliament would not enact such a provision.

Peggy Nash NDP Parkdale—High Park, ON

The commissioner believes it will do something. He believes it will go down the road another step—I think that was how he put it—to securing better knowledge of consent, and a more meaningful consent.

12:25 p.m.

Special Digital Privacy Counsel, Canadian Marketing Association

David Elder

I'm not really seeing how that would work. Again, the wording currently says that you have to state purposes in such a manner that the individual can reasonably understand how the information will be used or disclosed. The wording now says similar things; it says, “would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information”.

Peggy Nash NDP Parkdale—High Park, ON

My question for you is, if that's the case, where is the problem?

12:25 p.m.

Special Digital Privacy Counsel, Canadian Marketing Association

David Elder

What I would say is, if this doesn't do anything, then there's no reason for it to be here.

Peggy Nash NDP Parkdale—High Park, ON

You're saying it's superfluous.

12:25 p.m.

Special Digital Privacy Counsel, Canadian Marketing Association

David Elder

If it is here, I'd like to better understand what it does that's different from what we already have, where we already have this requirement that the individual needs to understand the purposes, and where we already have guidance from the OPC about how to treat children, for example, and other disadvantaged groups.

Peggy Nash NDP Parkdale—High Park, ON

Perhaps it just formalizes the guidelines you say industry is already following, and codifies them in law in a way that adds greater clarity. The commissioner believes that it adds greater protection. My question is whether it's either a burden and a hardship or whether it does nothing. I have trouble understanding that it's both a burden and a hardship to business, but that it doesn't do anything in this case. The commissioner says it is helpful; it is another step in providing meaningful consent. To me that's a worthy goal. I'm trying to understand what is the undue hardship to business that suddenly will transform the way business behaves.

12:25 p.m.

Conservative

The Chair Conservative David Sweet

Briefly, please.

12:25 p.m.

Special Digital Privacy Counsel, Canadian Marketing Association

David Elder

Again, part of it is that we don't really know. If it is a clarification, it might be useful to have a revision that says “for greater certainty”, or something like that to indicate that we are just trying to clarify an existing obligation. Our concern is what this means additive to what's already here. If it doesn't do something additive to what's already here, there's no reason to enact it. That's how a court would interpret this.

12:25 p.m.

Conservative

The Chair Conservative David Sweet

Thank you very much, Mr. Elder.

Now Mr. Carmichael for four minutes.

12:25 p.m.

Conservative

John Carmichael Conservative Don Valley West, ON

Thank you, Chair, and welcome to Mr. Hill as well. Your travels finally got you here.

I'd like to refer to the commissioner's comments earlier about the number of breaches that are becoming commonplace, and as he said, becoming a growing phenomenon. He's approximated at 60 a year the number of breaches that are being declared at this time. That's up or down a bit, but that's going to continue to grow with mandatory notification.

Mr. Smith, I would like to start with you directly, and then go to Mr. Elder. I wonder if you could give me some examples within your community, within the chamber, and within its membership, of what businesses are doing to take action today, to comply with this legislation that's coming forward.

In terms of protecting against such breaches, how are businesses getting ready for this type of phenomenon?

February 17th, 2015 / 12:25 p.m.

Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

There are a couple of ways to answer your question.

The legislation has been in place for over a decade now and it's working well. As you heard, businesses are reporting.

There are incidents. These breaches are increasing. You hear about them in the media. Generally, those are not the fault of the businesses. They're being attacked in a number of different ways. If you're talking from a cybersecurity perspective, they have challenges in being able to protect themselves against that. That's not unique to business. That's happening to government. It's happening to everybody. You heard that even the U.S. government was attacked.

From a small business perspective, they look at PIPEDA and are doing what they can to comply. Most of the breaches that you don't hear about are being handled at the front lines and reported to individuals. It's not coming back to the Privacy Commissioner at all. Generally there's no need for it to come back because there is no risk of harm to that individual once the breach has been dealt with. Systemically, they're managing these internally.

Is business preparing for the changes to PIPEDA that are coming under Bill S-4? They're certainly aware of them. Will they make any changes? Not until the bill comes into place, I would suspect.

12:30 p.m.

Conservative

John Carmichael Conservative Don Valley West, ON

Are the changes significant to small business?