Thank you, Mr. Chair.
Good morning. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I've appeared before this committee on a number of occasions on digital policy issues, including privacy, and I appear today, as always, in a personal capacity representing only my own views.
Actually I previously appeared before the Senate committee that was studying Bill S-4 and my remarks then focused on three broad issues.
First, I offered my support for several important provisions in the bill, particularly the additional clarification on the standard of consent, the extension of the deadline to take cases to the Federal Court, and the expansion of the powers of the Privacy Commissioner to publicly disclose information related to findings or other matters. Second, I identified issues that I think need amendment or improvement: the security breach disclosure rules, particularly the abandonment of a two-step disclosure process that was found in some earlier bills; the compliance agreements provisions, which I think could be strengthened with penalties or order-making power; and the expansion of voluntary disclosure of personal information between private sector organizations. Third, I talked about some missing provisions, namely, what I think is the need for mandatory transparency reporting.
My time this morning is limited, so I'm going to delve deeper into just two issues, the voluntary disclosure provision and transparency reporting.
On voluntary disclosure, as you know, Bill S-4 expands the possibility of personal information disclosure without consent or court oversight to anyone, not just law enforcement. As you know, the bill features a provision granting organizations the right to voluntarily disclose personal information without the knowledge or consent of the affected individual and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation, or even the prospect of a future violation.
This broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval. I believe this runs counter to the court decisions that we've seen from the Federal Court, which have sought to establish clear limits and oversight over such disclosures as well as the spirit of the Supreme Court of Canada's Spencer decision, which ruled that Canadians have a reasonable expectation of privacy with such information. In fact, if we examine the leading cases involving disclosure of customer information in private litigation—not to law enforcement but in private litigation—such as in Warman v. Fournier, BMG v. Doe, Voltage v. Doe—virtually all emphasized the need for safeguards before customer information is disclosed, even as part of an investigation.
A House of Commons committee did recommend a similar reform in 2006, but that recommendation was rejected at the time, both by the Conservative government and the Privacy Commissioner of Canada.
I recognize that some have suggested that both Alberta and B.C. have similar provisions and that no harm has resulted from their approach. I'm not so sure. I don't think anyone can reasonably conclude that the provincial approach has not resulted in privacy risks or harms. It's important to bear in mind that the disclosure itself is not necessarily revealed to the affected individual. Indeed, the point is often to disclose without knowledge or consent, meaning the affected individual will not know that their personal information has been disclosed. Asking for evidence of harm when the harmful conduct is kept secret from those who are affected creates an impossible evidentiary burden. In fact, even if you believe that the disclosures might come to light through court processes should it reach that point, and we know that oftentimes the disclosures won't ever reach the point of a court case, provincial privacy law such as we find in Alberta and B.C. rarely involves having these kinds of cases come to light. It's no coincidence that the leading cases involving personal information involve PIPEDA, because those cases typically involved telecom companies, Internet service providers, websites, and banks, all largely governed through PIPEDA.
In other words, the existence of this kind of provision at the provincial level actually tells us very little about how it will be used under PIPEDA. The reform here, I think, is clear. There is no compelling need for a change. The current system has been in place for many years and there are dozens of organizations that are covered by the investigative bodies exception. It may have been a bit of a hassle 10 years ago, but now the reform makes little sense. Further, if there are specific industries that can point to concerns, I think those can be addressed through a narrow amendment, but the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed.
Second is the need for transparency reporting. The lack of transparency in reporting requirements associated with personal information disclosures, I think, is a glaring omission from the bill. The revelations last year of over a million requests and over 750,000 disclosures of personal information in a single year, the majority of which happened without court oversight or a warrant, point to, I think, an enormously troubling weakness in Canada's privacy laws.
More recently, the Privacy Commissioner of Canada tried to conduct an audit of RCMP requests for subscriber information and was largely forced to abandon the audit when the data there were found to be inaccurate and incomplete.
Now, there are some companies, such as Rodgers and Telus, that have begun to issue transparency reports, but there are others, most notably Bell, that have not. Most Canadians have simply no awareness that this is taking place. This deficiency can be addressed, I think, through two reforms.
First, the law should require organizations to publicly report on the number of disclosures they make without knowledge or consent and without judicial warrants. This information should be disclosed in aggregate on a quarterly basis—every 90 days. I'm not talking about disclosing it to each individual immediately; we're talking about its being on an aggregate basis and a quarterly basis.
Second, those organizations should be at some point in time required to notify affected individuals within a reasonable time. Leave aside the necessity to keep it secret, if necessary as part of an investigation; once it is concluded or a reasonable amount of time has passed, either get a court order to continue the secrecy or disclose the disclosure to the affected individual.
The adoption of those kinds of provisions—transparency reporting and that disclosure—would, I think, be an important step forward in providing Canadians with greater transparency about the use and disclosure of their personal information.
I welcome your questions.