Evidence of meeting #36 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Okay, so it's not the length of the text or the legalese, it's the hidden negative options. Thank you.
Now you had said that you do support the protective measures in this legislation. The measures that are put forth to protect consumers, how do you see them as being beneficial? What is it that they're doing, in your mind?
Barrister and Solicitor, As an Individual
Sorry, I'm not sure what you're referring to. Is it something in Bill S-4?
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
You said there are positive aspects of the measures in Bill S-4.
Barrister and Solicitor, As an Individual
Well, certainly giving the Privacy Commissioner the power to make and enforce compliance agreements is a step forward. It's not nearly as great a step as should be in here, but it's something. Certainly having the security breach notification regime, some kind of regime in place, for reporting to the commissioner and to individuals is better than nothing, in my view. However, this is not nearly as good as it could be. We've been calling for this for 10 years, looking at it and studying it. At this point in time, there's so much experience in other jurisdictions, we should be getting it right. There's no excuse for not doing a better job.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Okay.
Mr. Gogolek, you said that there's no surefire way of saying that provincial policy doesn't cause harm. You said that the way the policies were written in B.C. and Alberta, there was still the potential for harm to be done to the people they're supposed to be protecting.
Can you give any evidence or examples of where there is a potential for a breach under the provincial legislation this is supposed to be mirroring?
Executive Director, BC Freedom of Information and Privacy Association
Are you referring to the quote from the commissioner's report on PIPA? In that report the commissioner said that because we don't have the reports in terms of the information being made available, she is unable to tell. This was in relation to Professor Geist's report. This indicates the difficulty our commissioner in British Columbia has because she is not being made aware of what's going on. It highlights the importance of the commissioner being made aware of these situations as much as possible, partly for systemic reasons, but also to know what's going on.
Conservative
The Chair Conservative David Sweet
Thank you, Madam Gallant.
We'll now go to Madame Papillon for eight minutes.
NDP
Annick Papillon NDP Québec, QC
Thank you very much, Mr. Chair.
Mr. Geist, thank you for being here today.
During a Senate committee meeting, you gave the example of California, which requires the disclosure of any security breach related to unencrypted personal information when there are reasonable grounds to believe that the information was acquired by an unauthorized person.
Could you give us a concrete example to explain the impact that a similar definition might have on the application of Bill S-4?
Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual
Thanks for raising that. It's worth noting that this whole notion of security breach disclosure actually originated out of California, with the idea of creating sort of the perfect world of incentives for companies to do a better job of securing the information, because they don't want to have to go through the cost and potential embarrassment of disclosure. At the same time, it creates incentives or protection for users because they become aware of these disclosures when they happen.
What we've got under Bill S-4 is such a high threshold, and I think Ms. Lawson referenced this as well, that if the standard is only a real risk of significant harm and we don't have big penalties associated with non-disclosure to begin with, at least if you're a larger organization, in many instances, I think it's going to be quite rational, frankly, for an organization not to disclose. They're going to ask, first, what's the risk that anyone will ever find out about this? Second, if they do happen to find out about it and someone shows that there was a real risk of significant harm, then we will face a penalty. But even there, the penalties are relative low.
So what the California law does is to say that we want to ensure that if we're going to err on one side or the other, it's will be to err on the side of trying to mitigate against identify theft, to err on the side of ensuring that there is better security, and by lowering the threshold. We tried to do that a little bit in Bill C-12 and Bill C-29 with the two-step process, so that at least you are made sure that the Privacy Commissioner would be aware of the circumstances where there's a material breach. But in doing away with all of that, I don't think it's just a fear that breaches will occur in Canada. I think these should be expected. And if you asked many Canadians, they would tell you, “Boy, I should have been told about that”. And yet they won't be because companies are going to err rationally, based on the way this law is drafted, on the side of not disclosing it.
NDP
Annick Papillon NDP Québec, QC
Thank you.
I will continue with you, Mr. Geist.
During the Senate committee meeting, you also said that creating compliance orders would be founded if accompanied by the powers required to impose sentences or take regulatory actions, as is the case in the United States, where compliance orders are customary.
Could you explain in more detail what necessary powers we lack in Canada?
Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual
What we lack is both tough penalties, as we've talked about, and order-making power for the commissioner to order someone to comply with rules, as is found even at the provincial level. The prospect of negotiating compliance agreements is certainly better than what we have now. I don't think anybody disputes that. Nonetheless, it's essential that we do better and provide the commissioner with real powers to be in a position to ensure that organizations are more likely to comply. I think it's striking that people often reference the United States and will argue that in the U.S. they have no broad-based privacy law as we do in Canada, and for a long time Canadians have said that we are much further ahead than the U.S., that we at least have this broad-based privacy law. However, the reality is that the Federal Trade Commission, through its order-making power and its power to truly enforce, has been able to exact far tougher penalties and far stronger levels of compliance than the comparable here in Canada because our commissioner simply hasn't been granted those kinds of powers.
NDP
Annick Papillon NDP Québec, QC
What you are saying is interesting.
Let's come back to Quebec. Quebec legislation relating to the protection of digital privacy sets out exceptions that allow a business to gather or disclose any personal information without the consent of the individual concerned, but these exceptions are very limited and include, for example, situations involving a criminal investigation.
Do you think Bill S-4 could be inspired by what has been done in Quebec?
Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual
I don't have expertise in the Quebec law per se, but there is a series of exceptions, quite clearly, even as it stands now under PIPEDA. So when we talk about substantial similarity between the provinces that have these kinds of laws, I think what you're saying is somewhat consistent with that.
I really think what this would do, though, especially on that voluntary disclosure, is move us far beyond where I think most Canadians would expect in terms of the potential disclosure of their information without setting the sorts of oversight and kinds of conditions that would otherwise be appropriate.
NDP
Annick Papillon NDP Québec, QC
So Bill S-4 would give the privacy commissioner new powers to conclude compliance agreements with organizations. Are you afraid that the commissioner would be overwhelmed if every breach is reported to him?
I think you suggested that at the start of your speech.
Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual
I think that if every time a USB key went missing, there were requirements to disclose, then yes, you would find that organizations would be spending a lot of time disclosing. However, if we look back at the Bill C-12 and Bill C-29 standard, that's not the standard we talked about. It set a material breach as the standard.
You can debate whether or not that's the appropriate standard, but at a minimum it gets us at a number of breaches that this law will not. Moreover, it does so in a way that I think was good for companies too, because rather than companies being faced with this either/or of going to the expense and potential embarrassment of simply disclosing or not, it said as an intermediary step, let's discuss this on a confidential basis with the Privacy Commissioner's office and determine whether or not it warrants that broader disclosure.
Frankly, that was a good thing for organizations to potentially avoid having to make those broader disclosures, in some circumstances, and it provided the comfort of ensuring that users knew that, at a minimum, we had an advocate, the Privacy Commissioner, who was going to be made aware of these circumstances.
It's puzzling to me why this was removed in favour of a process that, frankly, does less to protect Canadians and, ultimately, actually can create larger costs for companies as well.
NDP
Barrister and Solicitor, As an Individual
If I could just quickly jump in, if there's no requirement to report a certain class of security breaches, there's no incentive for the company to avoid them.
Executive Director, BC Freedom of Information and Privacy Association
I would like to talk about another aspect relating to what Professor Geist mentioned.
This also imposes a kind of penalty on companies that are more considerate about protecting our privacy. In fact, the companies that are the most open and that will inform more people if they encounter a privacy-related problem will see their reputation pay the price.
Those companies that take a chance and try to hide things or who see the situation and decide to do nothing, it is always possible that no one will know that there was a problem or a breach. That isn't the situation we should create. We need to have minimum standards so that everyone knows what their level of behaviour should be.
Conservative
The Chair Conservative David Sweet
Thank you very much.
Thank you very much, Ms. Papillon.
I just want to let the witnesses know that our final questioner is coming up and I'm looking at the time. Our clocks are about three minutes slow, by the way, going by our BlackBerry time, but I wanted you to be aware that we'll probably have the ability to give each of you two minutes to wrap up. So if there are some final points you want to make, then keep that in mind as Mr. Lake begins his questioning.
Mr. Lake, you have eight minutes.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
Thank you, Mr. Chair.
I found it interesting to listen to all of the testimony first before getting a chance to talk.
Ms. Lawson and Mr. Geist both made similar statements. I wrote down that Ms. Lawson said, “We should be getting it right” and Mr. Geist that “We have to get it right”.
Interestingly, of course, I think that when we have these hearings, “right” means “the way you want it”. Ultimately, there have been other witnesses who have come before committee and said very different things. If the definition of “getting it right” means, for example, agreeing with those who said that consent provisions go too far, which we heard in the previous meeting, I don't imagine you would think it means we're getting it right.
Someone said that our data breach reporting regime is too onerous. If we decided that was the direction to go in, I'm quite certain that neither of you would say that this is “getting it right”. When anyone uses this term, I always hearken back to our hearings on anti-spam and copyright and even UBB. People's definitions of getting it right are very different. As in those cases, we're left to try to find the balance between very different, competing positions, and I think the case with this bill is no different.
Taking a look at three of the areas that have come up, I find it interesting....
Ms. Lawson, I'm going to come to you first and deal with section 20. You mentioned you had some concern with that section, I think around the confidentiality provision written into Bill S-4.
Conservative
Conservative