Evidence of meeting #37 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was s-4.
A recording is available from Parliament.
12:10 p.m.
NDP
Peggy Nash NDP Parkdale—High Park, ON
So this is the kind of thing that would reveal if I'm searching for cars on the Internet. Then I get advertisements that pop up that try to market cars to me. Is that the kind of thing it can do?
12:10 p.m.
Campaigns Coordinator, OpenMedia.ca
Absolutely, yes, and definitely in more sensitive cases than that—
12:10 p.m.
Campaigns Coordinator, OpenMedia.ca
Yes, in more sensitive cases than perhaps buying a car is the opportunity for people who are seeking medical advice or people who are potentially seeking out sources on political information. These are things that people have a reasonable expectation of privacy to and don't imagine would be revealed by just the comings and goings of their IP address.
One of the other things we're also concerned about with this bill is that it doesn't just limit the information that you can reveal to the IP address. It's actually any personal information that company has stored on you that they think may be reasonable for the purpose of their investigation, so that can literally include your e-mail logs. It can include any information that this company has collected on you, and that's definitely something concerning to us.
12:10 p.m.
NDP
Peggy Nash NDP Parkdale—High Park, ON
Thank you.
Ms. Vonn, you're from B.C., and we've heard testimony that where there are problems, where there are unwarranted breaches, or breaches without consent, the provincial privacy commissioner has order-making power. The federal Privacy Commissioner does not. Do you think having order-making power has improved the legislation in British Columbia, improved the enforcement?
12:10 p.m.
Policy Director, British Columbia Civil Liberties Association
I think it's critical that the Privacy Commissioner has order-making power. As I say, we have no indication here that we've seen any privacy commissioner with order-making power act anything other than sweetly reasonably. There is a question of will this not be heavy-handed, will organizations that make inadvertent mistakes be somehow characterized as bad players, etc.? This is simply not what we're seeing with privacy commissioners who have order-making powers across the country, who still have the ability to use moral suasion, advising best practice and all of the other range of educative tools that we would like, but nevertheless have something backing them up.
To explain to, in our case, British Columbians that your privacy rights are enforceable, I can tell you Canadians are stunned to find out that their statutory federal privacy rights are essentially incredibly difficult to enforce and require an exorbitant amount of resources to take you to an enforcement place.
12:15 p.m.
NDP
Peggy Nash NDP Parkdale—High Park, ON
Thank you.
We heard that the federal bill S-4 is based on the Alberta and B.C. bills, but it's our understanding that B.C. recently conducted a review of PIPA, its provincial legislation, based on the Spencer decision at the Supreme Court. We heard from Vincent Gogolek at our last meeting from the BC Freedom of Information and Privacy Association. He said that what happened was the scope of PIPA, the B.C. law, was narrowed. Now the minister, Minister Moore, feels that Bill S-4, this current bill, is in compliance with Spencer. You seem to have a different point of view. Can you clarify that?
12:15 p.m.
Policy Director, British Columbia Civil Liberties Association
We have not limited those provisions yet in British Columbia. The privacy commissioner has recommended in light of Spencer that they be limited to disclosures that involve the organization in question, so not third party....
12:15 p.m.
Conservative
The Chair Conservative David Sweet
Thank you very much for that brief answer.
Mr. Warawa for five minutes.
12:15 p.m.
Conservative
Mark Warawa Conservative Langley, BC
Thank you, Mr. Chair.
Thank you to the witnesses.
My focus and my questions will be on dealing with privacy issues and moving forward.
As you know, PIPEDA became law in 2000. It came into force over 2001 to 2004 and there is a statutory review on most federal legislation and that statutory review took place, I believe, in 2006 or 2008. My question is going to be focusing on whether we should continue to discuss potential amendments to this or we should move forward and get general consensus on Bill S-4 and move it forward. Or do we not move forward on Bill S-4 and ask the next parliament to deal with this.
As we heard from you, Mr. Chair, you're recommending that we start clause by clause on the 31st, because what we've heard, in submissions and from the witnesses, is that there's general support for Bill S-4, from the public and from the witnesses. There are some suggested amendments but some of these changes can be done by regulation following the amendments and passage of Bill S-4 if it does happen. We have a very short window to pass it in this parliament. If we don't, it will be the next parliament and we've already been at work on this almost a year.
That's going to be the focus of my question. Do we move forward or are you suggesting that we not move forward?
I'm going to first go to the Canadian Bankers Association. You were quite involved in the judicial review. You appeared before the committee to express a general support for PIPEDA and then you made a number of recommended changes that are in Bill S-4. Could you highlight some of those changes that you are happy with that are included in Bill S-4?
12:15 p.m.
Director, Consumer Affairs, Canadian Bankers Association
Certainly, the financial abuse provision was one of the ones that we were very strongly looking for. We also supported having a breach notification and reporting regime. It's something that the banks have been doing for decades, since PIPEDA came into effect and that's certainly a positive.
There were a couple of others. The legislation wasn't clear that schedule III banks were included and the bill has included that as well. So there are a number of the things that we were in favour of.
12:15 p.m.
Conservative
Mark Warawa Conservative Langley, BC
You are generally in favour of Bill S-4 moving forward. Is that correct?
12:15 p.m.
Director, Consumer Affairs, Canadian Bankers Association
If we could get that one amendment to expand the ability of banks to share information for the purposes of preventing, detecting, and suppressing criminal activities, not just fraud....
12:20 p.m.
Conservative
Mark Warawa Conservative Langley, BC
Would Bill S-4 improve protection for seniors and vulnerable groups?
12:20 p.m.
Conservative
Mark Warawa Conservative Langley, BC
It is very important, Chair, that we identify that.
Mr. Littler, you highlighted the support of your organization, the Retail Council of Canada, and you highlighted that there could be amendments by regulation to identify the vulnerable groups. Is that correct?
12:20 p.m.
Vice-President, Public Affairs, Retail Council of Canada
That's correct. There are a number of specific provisions in this bill that we do support, and I had noted especially the business contact information exemption, which is significant here. We are supportive of the sort of alternative route, if you like, of voluntary compliance agreements. There are other aspects in here. On balance, if the section that is intended, although does not explicitly state that it covers protection of vulnerable persons, is to proceed, we would hope to see some elucidation of that on the regulatory side, but, on balance, we would support Bill S-4 moving forward.
March 12th, 2015 / 12:20 p.m.
Liberal
Geoff Regan Liberal Halifax West, NS
Thank you very much, Mr. Chairman.
Thanks to the witnesses for joining us today.
Let me start with Mr. Littler. You talked about the idea of a provision, so that a customer could indicate to one of your members in the retail sector that they were basically waiving their rights on an issue that had arrived, that you would notify them that there had been an issue and they would say it was not a problem. What kind of disclosure do you think there would have to be in that case? What should satisfy us in terms of the idea that the person has been really properly informed of what the dangers conceivably could be? We can't just assume that the business is going to do this or do that for the person.
12:20 p.m.
Vice-President, Public Affairs, Retail Council of Canada
I think it's going to be situational. This is not to be fanciful. If somebody's shoe size was revealed to another customer passing by, that is obviously resolvable in the circumstance.
The kinds of harms that are specified are quite varied, everywhere from humiliation to bodily harm to significant financial harm, so I don't know that there is a single answer. Obviously there is a thin skull plaintiff issue here, but where it is something a reasonable person would say there's a risk of significant harm, I think you're frankly into the full reporting regime with a formal report to the individual and a report to the PCO.
In areas that are perhaps a bit more subjective, then if it's possible to get consent for one thing, I suppose it's possible at the same kind of standard to get somebody to indicate they are comfortable there has not been a problem. Now bear in mind there has then been a breach, if you like, so you would still have to record it so that if the person came back later and said, “Well, actually, upon reflection, I'm not happy about it”, at least there would have been a record created.
We are trying to envisage something of a halfway house. This wouldn't preclude that. There is nothing in here that would preclude some informal resolution because if it didn't hit the reasonable risk of significant harm test, then there can still be notice and informal resolution below that level, and could conceivably be worked out between the customer and the retailer, recorded by the retailer as a matter of course under proposed section 10.3.
You'll also bear in mind there are circumstances that we would envisage where something wouldn't even reach the 10.3 level where it's such a technical breach that it doesn't hit the standard in the other sections. We almost envisage three scenarios, one in which it hasn't really offended, although technically there had been a breach of security protocols; one where it might be resolved informally, and should nevertheless be recorded; and then a kind of third level where you actually hit that test on a reasonable belief basis and you are then duty-bound to report both to the individual and to the PCO.
12:20 p.m.
Liberal
Geoff Regan Liberal Halifax West, NS
I can envisage a situation where a company I dealt with on the Internet informed me that there had been sort of a breach and that I examined it and said okay, I was satisfied it was nothing too damaging and that I would waive my right to complain about it or to go through the whole process, but the question is whether people are properly informed.
Are there other views on this from witnesses today who would like to comment on this question about how to handle that?
12:25 p.m.
Policy Director, British Columbia Civil Liberties Association
Perhaps in distinction from the view of some of our colleagues on the panel here, my view of what was happening with the recording obligation was that it was not to provide an onerous, bureaucratic nothingness; that it was actually one of those tools of reflection for the organization, in the sense that one piece of misdirected mail is human error, five pieces of misdirected mail is human error, but maybe 20 pieces isn't, and now you're starting to require some bureaucratic attention to systems. As an educative function—because you will, of course, be recording this, however informally it has occurred, even if it's very minor—it would be helpful reflection for organizations, again not punitively, but in order to appropriately assess practices.
That recording and that taking on of the obligation to essentially note even mere, technical, small, seemingly non-risk-based disclosures again helps reflect on practice in ways that we find could be educative.
12:25 p.m.
Conservative
The Chair Conservative David Sweet
Thank you very much, Mr. Regan and Madam Vonn.
Now we will move to Mr. Carmichael.