Industry Committee on March 10th, 2015

Given the complexity of the vocabulary used, I will answer in English if I may.

I agree with what Professor Geist has just said. The federal Privacy Commissioner has noted that there are difficulties with Bill S-4 as a result of the Spencer decision. Our commissioner in British Columbia has as well. Commissioner Denham has been calling for tightening of our legislation “without consent to cases where the disclosure is “necessary” for purposes related to an investigation or proceeding.” At the same time that the current version of Bill S-4 is taking one approach, one of the substantially similar provinces—one of the committees—is heading in the opposite direction as a result of their understanding and interpretation of the Spencer decision. As Professor Geist said, the drafters of Bill S-4 didn't have the advantage of Spencer. We do today. We know what the Supreme Court of Canada said about this. I think we have to take this into account.

It's more an issue of harmonization and, for that, there are two key factors to consider. The first is privacy protection of all Canadians. As you said, the fact that this protection varies from province to province is not a good thing. Why would British Columbians be better protected than Ontarians or Newfoundlanders? I don't think this is the approach we should adopt. I am convinced that it is your responsibility to make these acts similar overall. This concept of similarity is legislative.

Mr. Carmichael asked a question about this earlier.

As for there being different regimes—things that are not quite the same—this also deals with the compliance of organizations and companies. If companies have different requirements in different jurisdictions, having to do one thing in B.C. or Alberta or Quebec and then something else in the rest of Canada—which gets back to Ms. Lawson's comment about order-making power—they will decide that, well, we've been ordered to do something by the B.C. commissioner, so we have to comply with that or be in contempt of court. This is the good thing about the compliance agreements, but, ultimately, we need order-making power, because a company may decide that it doesn't want to do that. So we will end up in different situations.

I'll jump in quickly by saying I think you raise a great point. Even today, I think we've already heard a bunch of potential suggestions about the kinds of things we could do that go beyond the four squares of the legislation itself.

With respect to Spencer, I think it points to what would be a really problematic outcome, one in which we find that where law enforcement is seeking information, they obtain court orders, whereas where that same information might well be disclosed in a private sector circumstance, there is no oversight or no limitations other than those found in the legislation. But as Ms. Lawson pointed out, they aren't very strong.

I think finding some amount of consistency, in terms of how we address the disclosure of personal information, especially when we're talking about things like subscriber information, which nowadays tells so much about our daily lives, would be very valuable and would allow us to have a more cohesive approach to privacy protection in Canada.

I was doing this bit of turn of phrase taking the legislation as it applies to security breach notification and applying it to companies. I think you need to step back, look at the big picture, and say, “Is this going to be effective? Are there sufficient incentives for industry to comply?”

When I say “comply”, I don't just mean reporting the breach and keeping the records of it; I mean complying by putting in place adequate security measures in the first place. I would think that what we're trying to do, first and foremost, is to make sure that companies put in place reasonable security safeguards. You need incentives for that, and in the private sector those need to be financial incentives.

I'm not sure if that was your question, but the point I was making is that I'm concerned that we may not have adequate incentives. A very strong incentive is negative publicity, and I don't understand why the Privacy Commissioner is being dissuaded in this legislation, under section 20, from publicizing those reports. Why don't we make them public? Why isn't transparency reporting part of transparency disclosure?

The submissions that CIPPIC made in 2008 on this issue were that we should establish a public registry of security breaches. Why are we treating these as confidential?

I think I would just agree with the other two witnesses. I think it is important, as Professor Geist stated, as related also to the transparency reports and making them public rather than private, that we do know about this, especially in terms of, as Professor Geist just suggested, the commissioner being aware of situations where there could be a systemic problem. I think that's vital.

Absolutely; I would say that the first and foremost most important purpose of breach notification is to put in place incentives for the companies themselves to put in place the security measures that prevent the identity theft from happening in the first place.

But I'm concerned for the reasons I've expressed. I'm concerned that the regime here is not strong enough.

Again, I'm agreeing with Ms. Lawson, but also, in terms of dealing with the question of breach notice fatigue, I think it's possible to deal with that through the notification itself. If it's something that does not relate to...or where you're just being advised that something happened that may affect your personal information, it's different from, “Okay, you'd better cancel your credit cards and get new ID”, or things like that.

So I think it can be dealt with at that stage rather than just saying there's no obligation to report.

The answer, of course, is yes, security breach disclosure does help address identity theft, for the obvious reason that it creates a stronger incentive for organizations to do a better job of securing the information they collect. It provides notification to users in some circumstances so they can take appropriate safeguards and try to mitigate against the potential harm that could occur from identity theft. But let's be clear: we've waited nine years for this legislation. We started conducting hearings on this back in 2006. This is a long period of time. Merely saying that we have a provision that will help, but not help as much as we could otherwise....

Particularly given the kind of globalization of information that you've suggested, and particularly given, I think, our increasing awareness of the harm that can arise out of identity theft, we have to get it right. We don't just have to try to get a provision that will help. We have to get a provision that will in an optimal way ensure that Canadians are more effectively safeguarded against identity theft. As I've tried to suggest, I think we can do better.

I would say to stop focusing on consent so much and put in place some hard limits. Let's acknowledge that consent is unrealistic in many situations, and put in place hard limits on what companies are allowed to collect in the first place and use and disclose later on.