Thank you very much, Mr. Chair.
Honourable members, my name is John Lawford. I'm the executive director and general counsel of the Public Interest Advocacy Centre, a national non-profit, federally incorporated organization founded in 1976 that provides legal and research services on behalf of consumer interests, and in particular, vulnerable consumer interests.
Due to the time I'm going to be speaking today solely to the breach notification amendments. However, I'll be happy to take questions on other aspects of the bill.
PIAC believes that the goal of an effective data breach notification law is to actually notify individuals of the loss, unauthorized access, or theft of their personal information from an organization whenever it is possible for the individual to take steps to avoid financial, reputational, or other harms, or to minimize these impacts. In our view this goal can be accomplished in a manner that also removes conflicts of interest in reporting breaches; reduces compliance cost and risk for business, in particular small business; generates data for better policy outcomes; engages, improves, and leverages the expertise of the Office of the Privacy Commissioner, OPC, in dealing with breaches; and encourages business and consumers to make investments in data security.
Unfortunately, Bill S-4, as written, will very likely result in fewer reported breaches than even now and operate in an opposite manner. Namely, it will create a culture of fear, recrimination, and non-reporting. Bill S-4, incentivizes not reporting data breaches by leaving the determination of whether a breach creates a real risk of significant harm to an individual totally in the hands of the organization that suffers the breach. This obvious conflict of interest is fatal to the purpose of the bill as there is no advantage to a company to report and every advantage to hide a data breach.
The conflict of interest in having a company assess whether an individual faces a real risk of significant harm from a data breach is one that will be settled in close cases and some more egregious ones by the company concluding there is no such risk. Such an assessment avoids the cost, reputational damage, and inconvenience faced by the company. It also avoids putting the company on the radar of the OPC for an audit or an investigation.
While it's true the company does face prosecution under the amended section 28 of PIPEDA and a possible fine up to $100,000, perhaps even per record, that offence is premised on not reporting a breach knowingly. Any organization that sets up even the most basic process to come to a conclusion that a breach was not a real risk of significant harm would have a very strong defence. This flaw is exacerbated by the bill's requirement to report all breaches regarding a real risk of significant harm simultaneously and relatively instantly to the OPC, whose role is purely observational, to affected individuals and to unspecified third parties who may be able to help. Which individuals to notify will be determined solely by the company involved, which will be dealing with the chaos of several reporting requirements that frankly make little sense as structured. The incentive again will be to keep the reporting to individuals to as few in number as possible. Contrast this with our vision of how Bill S-4 could work.
Step one, replace the initial reporting to all parties on the real risk of serious harm test for the requirement to immediately report material security breaches involving personal information to the OPC only. In Bill C-12 of the previous parliament, in that version, proposed section 10.1, did this very well with one exception. We would recommend removal of the systemic problem assessment, which the bill required and which also led to the disincenting of reporting.
Step two, leave the decision of whether to order—and yes, I said order—a company to report a data breach to individuals to the OPC. The company would have no say in the matter. The OPC would be an impartial third party arbiter of whether a breach was a real risk of significant harm to affected individuals. The OPC would gain experience, expertise, and authority in assessing breaches. The OPC decisions would be made public, meaning Canadians would finally know which companies had breaches, because this is presently not known for all breaches under the voluntary breach notifications referred to and the private conversations that we know the Office of the Privacy Commissioner has with companies.
Finally, the gathering of security failings generates data that could lead to better policy outcomes based on encouraging companies to invest in improved data security.
This approach would also benefit business, especially small business. With the OPC making the individual notification call, the business would be relieved of the compliance costs in hiring consultants to manage its data breach response, as the OPC would specify when, how, and how much notification was required. It would virtually eliminate the risk of civil liability for data breaches. The OPC could provide extensive breach notification guidance and materials to ease the reporting process for business in dealing with the stress of a breach.
This committee could save time and effort in designing step two by essentially copying the relevant section of Alberta's Personal Information Protection Act, namely section 37.1 of that act.
Finally, a rewrite of Bill S-4, as suggested, should encourage both business and consumers to take personal information security and the response to it more seriously. For business, a step-one requirement to report security breaches to the OPC would drive investments to improve systems in order to avoid having to report breaches. For consumers, a step-two notification could be treated as authoritative, serious, and OPC-approved assurance of impartiality, and spur consumers to take action to appropriately deal with breach notification and, finally, to reflect their judgment of the information-handling practices of the business to those businesses.
Thank you very much. I await your questions.