Industry Committee on March 12th, 2015

Thank you, Mr. Chair.

Again, my name is Micheal Vonn. I'm the policy director of the British Columbia Civil Liberties Association. We are of course a non-partisan, non-profit society and one of the oldest and most active civil liberties and human rights organizations in the country. Privacy is a key portfolio of our association, so we are very grateful to be asked to speak to you today on Bill S-4 and particularly pleased that we are able to discuss it with you prior to second reading, while the scope of the bill is still open for discussion.

Our association would like to support and echo many of the concerns and recommendations that have already been brought before this committee by civil society and academic witnesses. For example, we strongly support the position of B.C. FIPA that there is an urgent need to bring federal political parties under PIPEDA.

We also endorse the position of the national PIAC that compliance agreements are of limited assistance in protecting Canadians' privacy rights and that it is long overdue for the federal Privacy Commissioner to have order-making powers, like provincial counterparts. We believe lt is unacceptable that statutory privacy rights that courts characterize as quasi-constitutional are regulated federally largely on the basis of moral suasion without effective enforcement. ln our view, Bill S-4 falls far short of addressing this critical and long-standing problem.

However, time being limited, I will devote my prepared remarks primarily to the Supreme Court of Canada's decision in R. v. Spencer and its implications for Bill S-4.

The Spencer decision, as you know well, dealt with the provisions of PIPEDA that allow for disclosure without consent to government institutions when the institution has identified its lawful authority to obtain the information. The issue in the case was whether the police seeking access to subscriber information without a warrant from an Internet service provider had the requisite authority. The answer to that question depends on whether there is a reasonable expectation of privacy in customers' subscriber information.

The Supreme Court of Canada resolved this issue, on which lower courts had been divided, and found that there is a reasonable expectation of privacy in subscriber information and that it is reasonable for Internet service users to expect that a simple request by police would not trigger an obligation to disclose information or defeat PIPEDA's general prohibition on the disclosure of personal information without consent.

For the purposes of our section 8 charter right to be secure against unreasonable search and seizure, a request by a police officer that an Internet service provider voluntarily disclose subscriber information amounts to a search, and a warrantless search is presumptively unreasonable, according to section 8 analysis that you will find in R. v. Collins. The crown bears the burden of rebutting this presumption by showing three things: one, that the search is authorized by law; two, that the law itself is reasonable; and three, that the search is carried out in a reasonable manner.

Now, the question in Spencer was whether or not the provision in PIPEDA ostensibly allowing for disclosures without consent to law authorities was in fact a law authorizing this. The court said it was not. If it were, the court said, in paragraph 70: ...PIPEDA's protections become virtually meaningless in the face of a police request for personal information....

The court said that of course the police have lawful authority to ask questions relating to matters that are not subject to a reasonable expectation of privacy and of course they have lawful authority to conduct warrantless searches where there are exigent circumstances. But “lawful authority”—that language in PIPEDA as it stands—requires more than a bare request. This we know from Spencer.

Thus we say that there is a need in Bill S-4 to amend the provision that is at issue in Spencer, a provision so confusing that we had to go all the way to the Supreme Court of Canada to have it definitively interpreted. And while some very limited and narrow voluntary disclosures may still be viable under this provision post-Spencer, outside of exigent circumstances such disclosures would require legal advice.

lt is patently unreasonable to maintain a provision that cannot be understood on its face and requires a charter analysis to be used appropriately. As we argued in our lawful access report of 2012, the best approach is to remove this provision in its entirety.

Alternatively, we say that the term “lawful authority” could be replaced by the term “statutory authority” for greater clarity, however the constitutionality of said statutory authority will, of course, ultimately still be a question of debate.

The further question of the constitutionality of express statutory authorities for disclosure, in light of the Supreme Court of Canada's decision in Spencer, has led the special committee reviewing PIPA in British Columbia to call for a narrowing of its voluntary disclosure provisions under the act.

We want to caution this committee that there are at least two reasons we cannot look to Alberta and British Columbia's privacy legislation relating to the private sector for assurance that proposed expansions of voluntary disclosures found in Bill S-4 are likely to go well.

One, there is a clear concern that those PIPA provisions may not be constitutional in light of Spencer.

Two, however little historical challenge there has been in relation to those provisions thus far, the same will certainly not be the case in relation to the arenas governed by PIPEDA, which obviously include telecommunications.

I have other things that I could say about this, but I think I'll save it for questions.

Thank you very much.

Thank you, Mr. Chair, and thank you for having us here today.

The banking industry has long been a leader in privacy protection. Given the nature of the services that banks provide to millions of customers in communities across Canada, banks are trusted custodians of significant amounts of personal information. Privacy and protection of clients' information is a cornerstone of banking. Banks take very seriously their responsibility to protect customers' information and are committed to meeting not only the requirements of privacy laws, but also the expectations of our customers.

We are pleased to have this opportunity to voice our support for the many provisions in this legislation, including the new breach notification and the financial abuse provisions. We are concerned that amendments to eliminate investigative bodies will create uncertainty and may significantly limit the type of information that banks currently share to prevent criminal and terrorist activity.

The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm. ln fact banks already notify clients in the rare instances of such a breach so that individuals can protect themselves from fraud or any other misuse of their personal information. We are in favour of reporting material breaches to the Privacy Commissioner. We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

We look forward to working with the government on guidance and regulations to set out the details of how these provisions will be implemented, thereby providing an effective framework to ensure that Canadians are notified in a timely manner. lt is important for all stakeholders to work together to protect the personal information of individual Canadians, and Bill S-4 effectively creates a framework for this to happen.

The CBA has long advocated for amendments that will help seniors and vulnerable Canadians from becoming victims of financial abuse. We applaud the government for including an important amendment in Bill S-4 that would allow banks to notify a family member or authorized representative in suspected cases of financial abuse. When bank employees see situations in the branch that suggest potential financial abuse, it is the customer's savings that are at risk, and bank staff want to be able to help them to avoid financial abuse.

At present PIPEDA only allows a bank to report suspected cases of financial abuse to a government institution, such as the police or the public guardian and trustee, and only where there are reasonable grounds to believe that a law has been contravened. The suspicious behaviour that bank staff may witness may not necessarily suggest that a law has been broken. lt can still be a case of financial abuse and yet banks are constrained in what they can do to help their clients. Even when banks suspect unlawful behaviour, and are able to report the suspected abuse, they are often told that police or the public guardian and trustee do not have sufficient resources, or sometimes even the mandate, to undertake an investigation on financial abuse.

Our support for this provision is guided by the best interest of our customers, particularly groups most susceptible to financial abuse such as seniors. Banks want to ensure that their staff have the ability to protect their customers from financial abuse, and this provision is an important tool in this regard.

While we are supportive of the majority of the provisions in Bill S-4, we are concerned that some of the proposed amendments may hinder the ability of banks to protect our customers, our employees, our communities, and the financial sector from crime.

Current regulations under PIPEDA contain a list of designated investigative bodies through which organizations can share personal information under conditions set out in the act. The CBA's bank crime prevention and investigation office, or BCPIO, was among the first investigative bodies approved by the government, and it has been in operation for almost 15 years. The BCPIO's information-sharing policies and procedures across organizational boundaries are clearly understood by Canadian banks, along with other participating financial institutions. lt is this formal relationship that allows banks to detect, prevent, and suppress criminal activity such as theft of data and personal information, criminal breach of trust, proceeds of crime, money laundering, terrorist financing, cybercrime, bank robberies, and physical attacks on critical infrastructure.

The bill proposes to replace designated investigative bodies with a framework for the disclosing and sharing of personal information among organizations. ln our view, the new provisions, particularly the wording of proposed provision 7.(3)(d.2), may not allow banks the same scope as the investigative bodies to detect, prevent, and suppress the full range of criminal activities. ln particular, we are concerned that the proposed change limits disclosure to circumstances where it is “reasonable for the purposes of detecting or suppressing fraud or of preventing fraud”. Many of the criminal activities I listed earlier are just not captured by the term “fraud”.

If these provisions are passed in their current form, we believe the ability of the banks to protect the financial system and our customers from criminal activity may be severely hampered.

We ask the committee to consider amending the bill to allow approved investigative bodies such as the BCPIO to continue with their important work. Alternatively, if the committee wishes to maintain the proposed approach in Bill S-4, we recommend that the legislation be amended to ensure financial institutions can share the information needed to detect and prevent other types of serious criminal activity beyond fraud.

ln closing, we want to reiterate the banking industry's support for many aspects of Bill S-4 and ask the committee to consider amending the bill to help protect Canadians from financial crimes.

We would be pleased to answer your questions.

Thank you, Mr. Chairman.

Good afternoon, my name is Meghan Sali. I'm here today on behalf of OpenMedia, a non-profit organization working to safeguard the digital rights of Canadians. I'll structure my remarks today by focusing primarily on a critical issue within Bill S-4, which, if passed in its current form, could expose Canadians to an unwarranted exploitation of their private data.

Subclause 6(10) proposes to expand voluntary disclosure of sensitive information by a private company, most notably in our estimation, by telecom providers. It would also allow for involved service providers to offer this information to anyone without the consent of the individual.

Today I will briefly cover a few points central to this issue, including the sensitivity of basic subscriber information, the overly broad disclosure framework in Bill S-4, and the lack of trust concerning the entities seeking disclosure.

Flagging a common use case for such provisions, I would ask you to imagine a private company seeking to sue the customers of Internet service providers based on the anonymous online activities they see. Before they can proceed, this company would like the ISP to identify who is behind the IP address, by voluntarily turning over basic subscriber information. Considering that a report issued by the Privacy Commissioner just last year outlines how online identifiers can be extremely revealing, potentially conveying information about a person's medical status, religious views, sexual orientation, political affiliation, and more, the argument against this information being considered “basic” is extremely compelling.

As you know, Bill S-4 also comes on the heels of a Supreme Court of Canada ruling that Canadians have a reasonable expectation of privacy with regard to this type of information. In the Spencer ruling, with regard to IP addresses, the Supreme Court stated:

The user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous — by guarding the link between the information and the identity of the person to whom it relates — the user can in large measure be assured that the activity remains private...

Or as a supporter, Shawn, wrote on our website:

We have a right to privacy, and to not be subjected to criticism or surveillance based on meta data.

Additionally, a number of courts have spoken out about the need for privacy protections to prevent abuse by private companies trying to sue the customers of ISPs. As with previous presentations, OpenMedia invited citizens to share their concerns concerning Bill S-4, and to help shape my testimony today. I think it's important for MPs to put the lived experience of Canadians front and centre in these deliberations.

Dave Carter had this to say in a comment submitted on our website:

No company, public or private should have a right to access my personal, private information without following due course of procedure through obtaining a court approved warrant. This is akin to a stranger cutting the keys to your house and letting themselves in whenever they want to snoop through your socks and underwear drawers.

I will now move on to my second point. The framework under Bill S-4 allows disclosures for the purpose of investigating the breach of an agreement, or a contravention of the laws of Canada or a province, that has been, is being, or is about to be committed. Experts and the Privacy Commissioner have indicated this framework is overly broad, and that allowing the voluntary disclosure of personal information, simply on the basis of an investigation, could lead to a violation of privacy rights. Disturbingly, the scope of such private investigations is not defined in this bill.

As supporter K.A. told us on our website:

A law letting a private company share individuals' private information on the mere suspicion of wrongdoing is just too broad a power to have. This is putting a private company, even one with a vested interest in certain outcomes...to become an accuser, judge and jury, for unsuspecting individuals.

This brings me to my final point, which centres on the issue of trust. As I've mentioned, if we were to disclose data that is highly sensitive based on a very loose framework, with no oversight, accountability, or citizen consent, I would expect we would generally have a great deal of trust in the ethics of the entities involved. This bill comes at a time when our copyright notice and notice rules, just implemented in January, are being exploited and distorted. Specifically, media entities and their firms have been sending misleading, and in some cases flagrantly abusive, copyright infringement notices to Canadians. Many of these notices threatened massive lawsuits of up to $150,000, demanded settlements from individuals before any court proceedings, and even threatened users with being kicked offline for unproven accusations of infringement. Some of the notices even mentioned online activity that the user had never engaged in, let alone acquired related files.

One supporter, who asked to remain anonymous, told us in an email:

l...have received two copyright infringement notices from IP-Echelon which...have accused me of downloading HBO's "Girls", a show I have definitely never heard of.

Another supporter, coincidentally accused of downloading the very same HBO show, forwarded us his reply to TELUS, his ISP. He says:

I do not know of this show and have no record of downloading or streaming such a show. As the letter is threatening in content and provides no proof of the claims it makes, I would like it if you would provide me with the proof of such an event taking place.

Since January 2015 OpenMedia has seen more than 11,000 Canadians speak out on this issue through our website alone. Thankfully, rights holders and their firms do not have the personal information associated with the IP address, where the notices are being sent. This critical element of our notice and notice provisions maintains that a private entity must obtain a court order to access the personal information of a subscriber. Bill S-4 would undermine this clearly necessary safeguard and associated oversight with a court of law.

The question before you now is, knowing how some firms have already abused our notice and notice provisions, why would we give them unauthorized access to the sensitive personal information of innocent Canadians? Why leave our privacy rights in their untrustworthy hands?

In conclusion, I would like to say that we applaud the steps taken by this government, in particular on telecom and copyright issues, to ensure that customers are treated fairly and respectfully by companies that provide services to Canadians. However, this positive legacy will be put at risk by allowing subclause 6(10) to stand, as more Canadians are exposed to privacy breaches and potentially harassing demands from companies that have demonstrated they are not deserving of our trust.

Thank you for your time, and I'd be happy to answer questions.

Thank you, Mr. Chairman.

I think most members will be familiar with RCC, which has been the voice of retail in Canada since 1963. As a not-for-profit industry association, we represent over 45,000 storefronts on a national basis, of all formats ranging from independent through grocer, online, and mass merchandise merchants.

We appreciate the committee's invitation to appear today. While we're not in as strong a position as my friends here from BCCLA and OpenMedia to comment on the legal intricacies of Bill S-4, we would be pleased to provide some general observations from a retail perspective.

Retailers are generally supportive of the proposed legislation, but do believe that it could be improved upon in some areas, which I and my colleague will address.

Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach. More specifically, we support the clarification on the exclusion of business contact information, as this was clearly not meant to be captured. This section 4 clarification will better equip businesses to conduct their ongoing operations. We also support the provision for more flexible resolutions to breaches of the act's requirements, notably the provision for voluntary compliance agreements in section 15. We also support the reasonable belief basis for reporting in proposed section 10.1.

Turning to the issue of consent in section 5, we do note that it provides that consent is not valid unless how the information will be used is clearly communicated in a language appropriate to the target audience. We certainly agree with the principle. We understand this is the target of that section, that a vulnerable population such as children should be protected.

We don't take the position that some previous witnesses have that this proposal is superfluous and should be withdrawn. That said, we would encourage the inclusion of a provision for regulation to specify which vulnerable groups are covered. While it may be challenging to do so, a regulation could specify a non-exhaustive list including the obvious examples of minors through to those with cognitive disabilities and those lacking full fluency in the language in which they're being served. Further from that, non-prescriptive guidance from the commissioner's office on appropriate best practices would provide practical guidance for merchants.

With regard to record-keeping, we note that proposed section 10.3 requires that records of breaches be kept in a manner prescribed by regulation. Retailers encourage the inclusion of a materiality test for record-keeping specifically, as it would allow for greater certainty and would tend to limit onerous and less helpful record-keeping, where a breach has occurred technically but without any reasonable prospect of material harm. We're thinking of instances like a computer screen being left unattended or a filing cabinet being left open, where a third party may have passed by. We want to avoid the trivial and ensure that there is some material requirement here for the keeping of records.

We would also suggest including a provision specifying a reasonable length of time for record-keeping, perhaps one year, but we're obviously open in that regard. What we don't want is an obligation to keep records in perpetuity, where they may be diminishing in use from the perspective of the public good and would be onerous for merchants to maintain.

With your indulgence, Mr. Chair, my colleague, Jason McLinton, will make two further observations and conclude on our behalf.

Retailers note with interest the section that grants the Office of the Privacy Commissioner seemingly unrestricted discretion in releasing any information under its control to the public when deemed to be in the public interest. Retailers would like to see some reasonable limitations around this disclosure clause as, understandably, releasing potentially sensitive business information without parameters risks causing serious and irrefutable reputational harm to businesses.

Our final comments relate to single window reporting and compliance. We note that Alberta has legislated in this area and that other provinces and jurisdictions are considering legislating in this area. We encourage the inclusion of a provision that would ensure single window breach reporting and single window compliance agreements, or any sort of other compliance, as other parties consider legislating in this area. An example might be that the Office of the Privacy Commissioner could be given the ability to waive reporting requirements when suitable notification has already been given in another jurisdiction and handled there. This would avoid unnecessary and potentially administratively onerous double reporting with different formats or multiple compliance requirements.

To conclude our comments, retailers support the bill but think it could be improved by some targeted amendments. We would of course be delighted to work with this committee, Industry Canada, and the Office of the Privacy Commissioner to help secure those improvements.

Thank you.

One of the things that we've noted is that in 2012 there was a study that said that a lot of this consent is being signed in disclosure agreements and terms of service agreements. There was actually a study in 2012 that stated it would take 72 work days for an individual to read all of the terms of service that they sign in a year.

Unfortunately, we don't think that's a reasonable expectation, that people would be able to read and understand, especially children, a lot of these things that they are being asked to comment on. I don't think those provisions go far enough.

[Inaudible — Editor] ... useful around that qualification of what you are required to do in terms of consent is that it brings to light for the organizations involved that uses of big data, metadata, the kinds of data analytics that many people don't consider when they are looking at consent simplicitors. They need to be alive in their minds to the modern usage of data and informing people about how they intend to use these new analytical tools. That's one of the advantages we see to this calling of attention to consent.

I might add something to what my colleague has said.

We have taken issue—and I realize you're talking about reporting now rather than recording—with the way the reporting requirement is framed and do believe there should be a materiality test there. We could envisage circumstances in which there would be a breach, and the matter could be resolved informally between the retailer in their setting and the customer in place. Although technically there's been a breach, the customer has determined that it doesn't bring risk of significant harm. I'm thinking particularly in the areas that are a bit more subjective, like humiliation, or what have you.

We could imagine a world in which it wouldn't seem necessary, then, to conclude that although we have an informal discussion with the customer, that is something that requires a formal notice both to the individual and to the commission. We can see a space in between, if you like, for informal resolution in situ between the merchant and the individual customer.

Canadian banks today are committed to working together to prevent, detect, and suppress, and also respond to crime as it exists in Canada. We do that under our investigative umbrella called the bank crime prevention and investigation office. That currently provides a secure environment.

Our concern is that the bill that's proposed won't affect the investigation aspect at all. Basically, we're here to flag the notion that especially (d.2) may inhibit the ability for the banking sector to share information for non-fraud cases.

Absolutely. As I noted in my presentation, metadata can reveal extremely personal information about people that also will echo Ms. Vonn's points that these people often don't know is actually being revealed. That can include, as I said, the histories of websites they visit, so it's like looking at cellphone calls.

The metadata for a cellphone call can tell you who you called and for how long you talked to them. It can't tell you the contents of that person's phone call, but it can tell you how many times that person speaks to them, how many times they visit their bank's website, what their bank's website is, what other websites they visit. It can definitely reveal a pattern of behaviour that tells a lot about a person.