Industry Committee on March 24th, 2015

Correct.

Well, they don't have any Internet service providers, and mostly the concern here is around Internet service providers.

Yes—which this legislation regulates.

Thank you for the question.

I think this is the classic situation in which the banks don't have to disclose their own vulnerabilities, but they can, in aggregate form through an organization like the CBA, report all the various attacks that have occurred in a certain time period and where those attacks originated from. They'll say that they've had all of these malicious people from the outside or they've had malicious insiders. The Bank of Nova Scotia has been sued in a class action lawsuit because of the actions of a rogue employee. That was not audited properly by the bank in terms of accessing personal information.

We need to know that not just when it comes up and somebody sues, but in aggregate form so that we can develop policy accurately and so we can ask where the focus should be. Should we be investing in protecting our national infrastructure, and the banks are part of that? Should we be telling customers to keep their passwords safer and so on and so forth?

These are basic questions that we don't have answers to. If we got them in aggregate form about various industries, it would be very helpful. We don't have that right now.

I know that the committee asked the commissioner about the resources and received I think a very diplomatic answer in response. I think this is part of the transition that office has to go through, looking back on 15 years of private sector legislation.

When I hear that the commissioner is repeatedly talking about education, it disturbs me, because regulators don't spend a lot of time educating. You don't hear the CRTC talking about educating. You see them making the rules and changing the landscape for the businesses they're regulating. I think the same thing has to happen with respect to the Privacy Commissioner. They need to move to the model of regulator. If that means they need to move resources internally or get additional resources externally, then I think that's what has to happen.

But if we care about personal information protection, we must have an effective national regulator. Right now, we don't have that. As we've said before, we have an ombudsperson who deals with trying to solve complaints.

From my perspective, and just sort of blue sky, obviously you need to bolster the resources of the Privacy Commissioner to deal effectively with these issues, just as when Canada's anti-spam legislation was passed and in Canada you needed to bolster the ability of that department within the CRTC to control that.

I don't know if it's been done sufficiently or not, but to me, in legislation, you set the mechanism of what you want the organization to do, and then the resources just naturally follow from that. Why give somebody the powers and then not give them resources to do their job? To me that doesn't make any sense.

I don't want to tar all the companies with the same brush. I think we have a lot of organizations in Canada that try to do the right thing. Certainly the big organizations that are Canadian try to be in compliance with legislation and are very concerned. That's why you see them appear here in front of the committee trying to advocate for this and that point of view. I don't want to say that people don't want to be in compliance, but we could be in situations where, again, just because of the force of business and what's a pressing issue upon them, they deal with some things more seriously than they deal with others because of the penalties they think will happen or not.

The legislation gives them the discretion to decide as it is, so they have the power to just make the decision. I think the jury will be out on whether that is an effective system or not. Time will tell. It may be one of those things that you do have to revisit and say it is not working properly and we need to move to a two-stage system, or we need to set the threshold at a lot lower level to make sure they are in compliance.

In the section that I commented on, clause 10, proposed paragraph (d.3), one of the protections in the reporting is that it's reported to a government institution, and as I said in my comments, the institution itself as it becomes defined is presumably going to have limitations on its jurisdiction and what it can do with the information. So in protecting the flow of information, at least for the sections I've commented on, that's probably a check and balance that's already built into the legislation.

Yes, the issue was about consent and the effect of providing consent to disclosure of information. I was simply making a point that an individual who is deemed at law to be mentally incapable is not able to provide valid legal consent for anything. That would apply also to a minor. In British Columbia the age of majority is 19. Anyone under the age of 19 cannot provide consent except in certain statutory exceptions. For example, they might be able to provide consent to treatment if they meet the mature minor test for medical treatment, but they would not be able to enter into a contractual relationship, for example, without intervention of the court.

There are other provisions to protect. The idea of consent by someone who doesn't have capacity at law to provide it was my point.