Industry Committee on March 10th, 2015

Sure, thanks.

I actually wouldn't call it a subjective test. I think it still is an objective test; the problem is that it's left up to industry to apply that test, and there is not enough oversight or incentive to ensure they are doing it properly.

One solution is to have the Privacy Commissioner be able to review the breaches and determine which breaches require, for example, notification of individuals. This is the model that is being proposed by PIAC, I believe, and it's certainly one that would get around the problem of the industry itself determining whether or not a breach meets the threshold for reporting to the Privacy Commissioner and/or to individuals if you go with a different standard.

I think it is a problem. I guess you can call it a subjective standard, but the problem is that industry is making its own determination, and if you're going to go with that kind of model, then it's all the more important that you have strong incentives in place for industry to comply. Otherwise they won't. It's simply not in their interests, and that's what we're seeing. If you study any aspect of PIPEDA compliance right now, non-compliance is just a cost of doing business right now. That's a fact.

I'm disappointed that the Privacy Commissioner is not really acknowledging that and calling for order-making powers. It's something that's very disappointing to me. As I said already, I had to take the Privacy Commissioner to court in order to get her to exercise her jurisdiction at that time, and it seems that for some reason there is not the appetite that there should be in that office for order-making powers and more effective enforcement of this legislation.

Yes. To be fair, it is an objective test. If you look, for example, at proposed subsection 10.1(1), it says:

An organization shall report to the Commissioner....if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.

That is an objective standard. The problem is that we're letting the industry itself make that determination when there is a huge incentive for the industry not to disclose, so either you need much stronger incentives for disclosure or you need a third party, like the Privacy Commissioner, to make that determination, to be able to review it, to have the resources with maybe one or two more bodies in the office to review these much more standard breach notifications and at least determine which ones need to be sent to individuals.

I think Dr. Geist made a good point in that respect in suggesting that we look at the anti-spam law this government has passed and the attention it's getting from industry. Dollars matter, but it's also the process.

With fines, quasi-criminal fines, that require prosecution and proof of intent, even if they are high, the risk of a company being fined is very low.

What's much more effective are administrative monetary penalties, which can be imposed much more easily without the quasi-criminal process and proof of intent. That's the route we've gone with the anti-spam law and that is the route we should be going with for this law as well.

Another very strong incentive is civil lawsuits. If individuals are able to bring civil lawsuits or class action suits against companies, that can be a very strong incentive. It's not a strong incentive under this regime because it's too difficult to do so, because there are no damages for embarrassment in it. That's been taken out. It has to be humiliation, so it's a high standard, and there are not a lot of dollars an individual would get even if they were able to sue.

There are different ways. The third type of incentive is bad publicity, but once again we're not seeing that being used very often by the Privacy Commissioner. This regime—when you look at section 20, which does allow for disclosure by the Privacy Commissioner if it's in the public interest—starts out by saying that there shall be no disclosure of this breach through reporting.

Why not? Why not make that a transparency reporting thing? Why not use bad publicity?

So there are three types of financial incentives that can be used, and I don't feel that any of them are being used to the optimum under this proposed legislation.

What I said was that I'm concerned about disclosure without a warrant and without consent, or without knowledge.

Warrants involve situations where we have disclosures to law enforcement. Where this law applies is not to law enforcement, but rather to voluntary disclosures to non-law enforcement.

We've seen under PIPEDA, the existing system, the ability for organizations, where they are conducting investigations or potential lawsuits, to go to get the necessary court orders for disclosure of that information.

In a number of those kinds of cases what the courts do is to set real conditions around that disclosure. There is both oversight as to when those disclosures occur, and then clear limitations on how that information may be used, including to whom it may be further disclosed, and the need to destroy it—a whole series of conditions recognizing the privacy import of that information.

What this bill does is to expand voluntary disclosure of that information without court oversight and without any limitations.

No. What I'm referring to is an organization that has my information. There may be instances where they are disclosing it either to law enforcement or to private sector organizations.

In the law enforcement context, if it's a warrant, and post the Spencer decision, it's quite clearly now going to be a warrant, or should be a warrant.

In the private sector what this bill does is to say that we can disclose information on a voluntary basis without a court order and without any sort of court oversight.

I'm saying that, over the last number of years under PIPEDA, we've had cases where organizations have said that they want to identify who those subscribers are because they want to sue them, and there's an instance where they are conducting this investigation or have this legal process. The court examines the circumstances around whether there's an appropriate case to order that disclosure and sets limitations on the disclosures that can occur.

What Bill S-4 does is to expand the prospect of that kind of disclosure on a voluntary basis.

No, not a data breach at all. The language used in Bill S-4 is exceptionally broad. It refers to the ability to disclose this information—here, I can try to call it up for you—where it is reasonable for the purposes of investigating a breach of an agreement or a contravention of a law that's either been, has been, or might even be committed, and where it is reasonable to think that if the individual were made aware of that disclosure, it would compromise the investigation.

We're not talking about data breaches here; we're talking about virtually carte blanche voluntary disclosures.

There's no reference to internal organizations nor internal fraud. The new (d.1) is talking about “a breach of an agreement or a contravention of the laws of Canada or a province” that's either been committed or, even, that might be about to be committed. It's anticipatory: I think something might happen, and so I'm going to move forward. We're talking about breach of contract even. Someone could then say that I'm entitled to voluntarily disclose. The notion that Canadians ought to be assured that there's a reasonableness standard in there doesn't strike me as providing much comfort whatsoever. This is very broad. There are no limits and there are no clear limits, limits other than that reasonableness, but that's a very limited standard, and there are no limitations set on what can happen to that information afterwards. We're not talking about security breach. We're not talking about fraud. We're not talking about internal investigations here. We're talking about something much, much broader.

If you're going to rely on consent and you want it to be meaningful, then forget negative-option or hidden consent. Everyone knows that no one has the time to read or the ability to figure out where it is hidden in the 20 pages of fine-print legalese. Let's go with real, meaningful consent, which is affirmative opt-in express consent, for all non-essential collection, use, and disclosure of personal data.

What that would mean is that you would have to click “I agree” to the specific disclosures. They would be optional. PIPEDA, as it stands, requires that non-essential collection, use, and disclosure of personal data be optional. The problem is that it allows negative options, hidden options. The hiding needs to be changed. They need to be brought out in the open and it needs to be opt-in consent. Customers must not be forced to consent to things that are not necessary, like marketing.