Industry Committee on March 26th, 2015

Thank you very much for providing me with the opportunity to speak to you today.

My name is Éloïse Gratton. I am a partner at Borden Ladner Gervais. I also teach a privacy law course at the University of Montreal law faculty.

I've been practising in the field of privacy law for over 15 years and I represent a range of clients, mostly private sector businesses from various industries. I appear today in a personal capacity, representing only my own views and not the views of my firm or its clients.

My time is limited, so I'm going to first mention two provisions in Bill S-4 that have my support, and then two that raise concerns.

I offer my support to two important provisions in the bill: mandatory breach notification and business transaction exception.

I have concerns with two provisions in Bill S-4, the first one being the clarification on valid consent. I know that many have appeared before me to discuss Bill S-4 and they have expressed their approval of the proposed amendment to clarify the requirements for valid consent.

Yes, in theory, not many people would logically object to having more stringent provisions governing valid consent; still, I have a few concerns with this proposal.

PIPEDA currently requires that consent be reasonably understandable by the individual. The questions that should be asked are: do we have a concern with this consent requirement, and if so, will the proposed amendment address such concerns?

If the proposed amendment is accepted, the message sent to organizations is that the way they used to get consent may no longer be valid and that perhaps they should be taking additional steps.

PIPEDA is based on a “notice and choice” model that may prove to be a real challenge in 2015. In my recent book Understanding Personal Information, I have a chapter dealing with the challenges with this notice and choice approach. I was raising that in our day and age, it is debatable whether this model still makes sense and is a realistic one. Very busy individuals with limited time are expected to review, understand, and agree to various different—sometimes online—terms of use agreements, and keep up with new technologies and business models constantly evolving.

We have also already begun witnessing how consent forms are now requiring a few additional clicks to ensure that express consent is obtained in compliance with the new Canadian anti-spam law, since under this law certain information has to be brought to the attention of the user separate and apart from the standard terms of use agreement. I am mostly concerned that this type of amendment will be translated by organizations including additional verbiage in their already very long privacy statements and by requiring more clicks from users already overloaded with information.

I also have some reservations about the two new proposed paragraphs 7(3)(d.1) and (d.2), which would allow an organization to disclose personal information to another organization without consent in certain circumstances, although I understand in some situations the necessity for this proposal.

A few files have landed on my desk over the last few years in which this type of provision would have come in handy. One example worth noting was the case of Stevens v. SNF Maritime Metal. It's a case that ended up in the Federal Court in 2010. This was the case of SNF, a company purchasing scrap metal from another company. That company's employee, Mr. Stevens, opened a personal account with SNF and started selling a high volume of scrap metal to them. SNF disclosed the fact to his employer, who was already suspecting that someone was stealing scrap metal from them. The company realized that its employee was indeed stealing from them. They fired him and the employee then sued SNF for breach of his privacy.

Although SNF was probably right to disclose this information to its client, it was nonetheless a technical breach of PIPEDA, since they had disclosed personal information about Stevens, the fraudulent employee, to its employee and their business partner without his prior consent.

The bottom line is that I agree that we need to have a provision authorizing the disclosure of personal information without consent to address these types of situations. Still, given the way the proposed provision is drafted, I am concerned that the amendments could lead to excessive disclosures, used for broad purposes justified under the investigation of a breach of an agreement provision, or the purposes of detecting fraud provision. These disclosures would further be invisible to both the individuals concerned and to the Office of the Privacy Commissioner.

If we could find a way to minimize the risk of over-disclosing, while including a provision under which companies disclosing in such a situation would have to be transparent about these disclosures, I would offer my support to this type of amendment.

Thank you. I welcome your questions.

We will both be making a presentation, Mr. Chair.

My name is Frank Zinatelli. I'm vice-president and general counsel with the Canadian Life and Health Insurance Association. I'm accompanied today by my colleague Anny Duval, who is counsel with the CLHIA.

The CLHIA represents life and health insurance companies, accounting for 99% of the life and health insurance in force across Canada. The Canadian life and health insurance industry provides products that include individual life and group life, disability insurance, supplementary health insurance, individual and group annuities, including RRSPs, RRIFs, TFSAs, and pensions.

The industry protects almost 28 million Canadians and about 45 million people internationally. The industry makes benefit payments to Canadians of $76 billion a year, has $647 billion invested in Canada's economy, and provides employment to over 150,000 Canadians.

We welcome this opportunity to appear before the committee as it reviews Bill S-4, which makes important amendments to the Personal Information Protection and Electronic Documents Act.

For over 100 years, Canada's life and health insurers have been handling the personal information of Canadians. Protecting personal information has been long recognized by the industry as an absolutely necessary condition for maintaining access to such information. Accordingly over the years, life and health insurers have taken a leadership role in developing standards and practices for the proper stewardship of personal information.

For example, in 1980 we developed right to privacy guidelines that represented the first privacy code to be adopted by any industry group in Canada. Since then, the life and health insurance industry has participated actively in the development of personal information protection rules across Canada, starting with Quebec's private sector privacy legislation in 1994, the development of PIPEDA, Alberta's and B.C.'s personal information protections acts in the early 2000s, and health information legislation in various provinces.

The industry's overarching theme is to achieve harmonization in the treatment of personal information across Canada as much as possible. The operations of life and health insurers are national in scope, and many common day-to-day transactions may involve interprovincial collection use and disclosure of personal information. Thus, the coordination or harmonization of the provisions of PIPEDA with privacy legislation at the provincial level is very important to avoid unproductive duplication and confusion for consumers, organizations, and regulators alike.

With harmonization in mind, let me turn now to Bill S-4, the digital privacy act. The industry is generally supportive of the bill, as it contains some needed updates that move PIPEDA to be more consistent with other private sector privacy legislation in the country.

For example, B.C. and Alberta deal with the use of information without consent of the individual more effectively than is now the case in PIPEDA. In this regard, the industry strongly supports those amendments to section 7 of PIPEDA, particularly proposed paragraph 7(3)(d.2), which would help industry efforts to detect, deter, and minimize fraud. The impact of fraudulent and deceptive conduct on insurance and other financial services can be extremely costly and damaging.

The industry efforts to control the incidence of fraud are not in conflict with our protection of personal information, but we note that there's a gap in the current legislation that restricts the ability of organizations to disclose information without consent of the individual for the purpose of conducting an investigation into a breach of an agreement or of a law of Canada.

While it is industry practice to obtain consent, there exist clear instances where this cannot be done—for example, where the suspected perpetrator is a third party that is not directly involved with the insurance contract, such as a service provider to a member of a group benefit plan.

In some instances, obtaining consent makes no sense. For example, this latter situation is contemplated in a note to principle 3 of the CSA model code for the protection of personal information, which forms part of PIPEDA:

When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information.

For these reasons, we support Bill S-4's amendments to section 7 of PIPEDA, which more clearly set out when personal information can be collected, used, and disclosed during an investigation.

This will allow all parties to more clearly understand the range of acceptable circumstances when there is an exception to consent and will have the additional advantage of being harmonized with the approach used in both the Alberta and B.C. PIPA.

Mr. Chair, we would like to comment briefly on two other provisions of the bill. I will discuss the first aspect and my colleague Mr. Zinatelli will discuss the second one.

With respect to the breach notification provisions in the bill, the life and health insurance industry has long supported a method of notifying individuals that is proportional to the risks of harm that may be experienced by those whose personal information has been compromised. We appreciate the effort that has taken place to harmonize provisions as much as possible with the provisions now present in the Alberta legislation. But we believe there could have been even more harmonization.

For example, the record-keeping requirements in the bill require that an organization maintain a record of every breach involving personal information under its management. Given that in some instances there would be no impact on the individual or the organization, we suggest that consideration be given to linking the record-keeping requirements to the level of risk associated with any particular situation. This could probably be done through regulations.

Finally, Chairman, we would like to touch on a provision that has already received a lot of attention by other witnesses: proposed PIPEDA section 6.1, in clause 5 of the bill, describing when consent is valid.

We believe a clear and consistent understanding of consent for the purposes of privacy legislation has developed across Canada during the last decade or so. We are concerned, therefore, that the attempt at clarification may well create more confusion than fulfill the purpose for which it was created. We understand that this amendment is aimed at supplementing the test for informed consent in the context of, for example, minors in their online interactions. But proposed section 6.1 is not limited to the areas of concern expressed. Without clarification in the bill, in regulations, or by some other formal means, it raises questions for organizations as to what is expected of them and how it would be applied and interpreted. We suggest that such clarification is necessary and can be achieved through guidelines or regulations.

Chairman, the goal of our industry is to improve the workability of personal information privacy rules by promoting the adoption of provisions that are practical, predictable, and harmonized across the country as much as possible.

The industry greatly appreciates this opportunity to participate in the committee's review of Bill S-4. We would be pleased to answer any questions you may have.

Thank you.

Thank you, Mr. Chair.

I also thank the committee for the opportunity to share with you our thoughts on Bill S-4.

Before addressing our views on this bill, I would like to begin by making a few preliminary remarks regarding the role of my organization, Credit Union Central of Canada, and more generally, the credit union system in Canada.

Canadian Central is the national trade association for its owners, the provincial credit union centrals. Through them, we provide services to about 315 affiliated credit unions across the country.

As you may know, credit unions represent an important part of the Canadian economy. We have about 1,700 credit union branches that serve 5.3 million Canadians. We have $170 billion in assets and 27,000 employees.

Credit unions in Canada come in all shapes and sizes. It's important to understand that some of our smallest credit unions have less than $10 million in assets, one full-time employee, and one part-time employee. Our biggest credit unions have $20 billion in assets and literally thousands of employees. So there's a lot of disparity or gap there. Regardless of size, however, as member-owned and controlled institutions we believe we have an inherent responsibility to be open and accessible while, at the same time, demonstrating the greatest respect for the protection of our members' privacy.

The Credit Union Code for the Protection of Personal lnformation, adopted by credit unions in advance of the 2004 compliance deadline, really speaks to the system's long-standing commitment to member privacy. In fact, well before it was required or fashionable, this code reflected the credit union system's commitment to protect member privacy by proactively implementing consent requirements for the use of personal information. This commitment to member privacy is enhanced through employee training programs, strong internal policies and procedures, and member awareness programs.

In general, we think Bill S-4 does a lot of things right. We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse. However, we think this measure could be refined somewhat by making it possible to disclose suspected abuse to a member of the individual's family. Research has shown that often, in the case of elder abuse especially, the next of kin are the abuser. We think a little stretch would help with that situation.

We are especially encouraged by attention to this important public policy issue because the credit union system has taken a bit of a lead on this issue of elder abuse. We've designed a course for front-line credit union employees on financial elder abuse detection and prevention and recently made an announcement to that effect with Minister Wong in Winnipeg. We also like Bill S-4 because it does a lot to reduce some of the regulatory burden that results from the current framework.

To give you an example, we are supportive of the proposal that would make it less difficult for institutions to share information when they're in merger discussions. As you may know, the credit union system is rapidly consolidating, so this is a welcome development. Similarly, we support the proposed amendments that permit the sharing of information between organizations for the purposes of fraud prevention. This too will reduce the administrative burden associated with some of the activities of Canadian Central, my organization's Credit Union Office for Crime Prevention and Investigation.

We note, however, that as drafted, the information sharing between financial institutions appears to be limited to the detection and suppression of fraud. We would recommend that financial institutions be allowed to share information related to criminal activity to cover the broader range of activities that we want to capture: bank robberies, ATM breaches, and that kind of thing. We also have some concerns about provisions that may increase regulatory burden.

Specifically, the legislation proposes requirements that would compel financial institutions to keep records of all data breaches. As you know, the reporting requirements say that breaches must be divulged when they pose a real risk of significant harm to individuals. We're not clear why it is necessary to impose record-keeping requirements that are not aligned with this reporting test. The usefulness in recording incidents that do not meet the significant harm reporting threshold is not readily apparent to us. We would recommend aligning the record-keeping requirement with the proposed reporting requirements. We also question the proposed potential penalty of $100,000 for non-compliance with this new record-keeping requirement. While this may not be a material amount to some of our larger competitors, you can imagine the impact of a fine like this on a small credit union with $10 million in assets and whose profits are well under $1 million. This could really harm the credit union. We'd recommend that the fines be geared to the size of the institution.

To help put these concerns in context, just to give you a sense of why these large and small institution issues matter to us, we did a study back in 2013 on regulatory burden. We found that small credit unions, those with fewer than 23 employees, devote fully one-fifth of their staff time to regulatory administration. It's a huge burden for our smaller institutions. Our bigger institutions devote only 4%, and keep in mind that our biggest institutions are many times smaller than the biggest banks out there.

The unintended consequence of a lot of the regulations that get imposed on the credit union system is that they inadvertently create a competitive advantage for larger institutions, and that's a concern for us. In fact, we raised that concern with the finance committee here at the House of Commons, and they agreed. They said that “the government should examine means by which credit unions and caisse populaires could be on a level playing field with Canada’s large financial institutions”. We think there are a couple of areas in this proposed legislation that could be tweaked to address that concern.

To conclude, we want to thank the committee for this opportunity to share our thoughts on Bill S-4. We applaud the government for some important and positive changes, especially around information sharing to prevent financial abuse of seniors and to reduce administrative burden.

That said, we would recommend adjusting the bill to allow financial institutions to share information related to criminal activity in order to cover crimes such as bank robberies, ATM compromises, and so on. We are also recommending that the bill be modified to make it possible to disclose suspected abuse to a member of the individual's family, not just next of kin. Finally, we would just ask that the government continue to be sensitive to the needs of smaller financial institutions by, for example, aligning record-keeping with record-reporting requirements and making fines for non-compliance proportional to the size of the institution.

We want to thank the committee again for our opportunity to share these perspectives, and we look forward to your questions. Thank you.

I'm glad as well, Mr. Chair. Thank you.

My name is Randy Bundus, and I am senior vice-president, legal and general counsel, with lnsurance Bureau of Canada. I am joined by my colleagues Maddy Murariu, with IBC government relations, and Rick Dubin, with IBC's investigative services. We are pleased to be here today.

IBC is the national industry association representing over 90% of private home, car, and business insurers in Canada. My remarks will focus on how Bill S-4 will affect my industry's ability to continue to combat insurance crime, which includes fraud and auto theft.

Insurance crime is big business in Canada. A recent Ontario government task force estimated that in that province auto insurance fraud alone costs up to $1.6 billion yearly. Insurance crime costs everyone in higher premiums and increased costs to our legal and medical systems.

Our industry works hard to suppress and prevent insurance crime through early detection, and also works hard to protect our customers' privacy. Insurers know that they must safeguard customers' personal information or risk losing business.

There are different types of insurance crime. It can be opportunistic. For example, a driver hits a guardrail and then invites a friend, a “jump-in”, to falsely state that he was also in the vehicle and suffered an injury for which he then claims compensation. Opportunistic claims are handled by insurers, but PIPEDA does not allow one insurer to verify facts by reaching out directly to another insurer that might also have been victimized by the suspected fraudulent incident.

Insurance crime can also be premeditated and organized. Large crime rings stage collisions that involve fraudulent injury claimants and others such as auto body shops and medical rehabilitation clinics. A crime ring can generate several million dollars in fraudulent claims.

IBC's investigative services, or ISD, was the first designated investigative body under PIPEDA, and it plays a critical role in the investigation of organized insurance crime. ISD is uniquely positioned to investigate organized insurance crime that involves multiple insurers, multiple claims, and multiple claimants. An example of this is the case of a police officer in Peel Region who was convicted in February on 42 counts, including 21 counts of fraud. This officer falsely reported nine collisions and, as a result, 14 insurers paid out almost $1 million in false claims to 69 participants.

ISD begins an investigation as a result of being made aware of an anomaly in an insurance claim. Information triggering an investigation may come from an insurer, a victim, law enforcement, or a tip from an informant. ISD then acts as a case file manager, coordinating investigations and identifying linkages between parties that are then submitted to regulators and other enforcement agencies. Individual insurance companies are not well positioned to handle organized crime on this scale.

This brings me to Bill S-4. We support the proposal in Bill S-4 to repeal the sections in PIPEDA that create investigative bodies and instead allow for an organization to disclose information to another organization in limited circumstances. These circumstances, as set out in Bill S-4, are to investigate a breach of an agreement or contravention of a law of Canada, and to detect, prevent, or suppress fraud.

My industry's experience under PIPEDA in investigating and detecting insurance crime has been of mixed success. While IBC's investigative services have been successful in combatting large, organized insurance crime, that has not always been the case for insurers in handling the opportunistic fraud. This is because many of the insurers are not able to disclose to each other information about suspected insurance crimes.

The proposed changes in Bill S-4 would help investigations into opportunistic or one-off insurance crimes involving only two claimants with two insurers, such as the jump-in example I gave earlier. Bill S-4 would allow insurers to disclose, in those very limited circumstances, when it is reasonable to do so, information to another insurer without the involvement of an investigative body.

An insurer could also disclose that information, in the same very restricted circumstances, to an organization such as ISD in the investigation of insurance fraud. In our view, this new process would be efficient and effective in detecting, preventing, and suppressing fraud, while still being respectful of privacy rights. Under Bill S-4, ISD could continue to function as a case file manager for organized insurance crime.

In our written comments to this committee, we address a number of other important issues in Bill S-4, including some minor wording changes to ensure consistency among the provisions allowing for responsible fraud investigations. We would be pleased to discuss these matters with this committee or with Industry Canada officials.

Thank you for your attention. I'd be happy to take any questions.

I'm going to ask my colleague Mr. Dubin to address that question.

I think the best way is to give a very brief scenario and show you why we support this.

Here's a scenario that we've run into several times. We have a left-turn situation in front of what seems to be an innocent vehicle. The other vehicle turns in front, and there's a collision. There is not significant damage, just bumper damage to the front of this so-called innocent vehicle. The driver says there are three occupants in the vehicle. In reality—and this is what we're going to get to, these are what we call jump-ins—they weren't in the vehicle at the time the collision took place.

Keeping in mind that the vehicle making the left turn is usually presumed to be at fault, the adjuster now receives this claim and does what we call a Carfax or AutoPlus report, where they're looking into a general history of the driver and vehicle that they insure, and he would contact IBC. They'd find out from that information that this driver and the vehicle were involved in a previous collision. It does identify the other insurer as well in those public reports. What that information has that they're not able to get to yet is that the other insurer also had a left-turn situation with multiple occupants in this vehicle.

Now, this accident happened late at night in a quiet neighbourhood, obviously at an intersection, and there were no witnesses. All three occupants were claiming soft tissue injury, but they didn't report it at the scene of the accident so the police didn't attend.

Under the current law, the adjuster obviously can't contact the other insurer to find out the facts of the other collision, so they're in the dark at this point. In the meantime, the claim starts getting paid and the occupants receive weekly income disability payments. They attend rehab facilities for extensive treatment, all of them usually receiving the same type of extensive treatment of physiotherapy, massage therapy, or chiropractic. At the same time that these bills are building up, the body shop is now doing the repairs to a vehicle that could very well have been previously repaired in the other accident.

It's reported to IBC at this point by the insurer just to let us know that they have some concerns, but the other party looks at fault. They can't contact the other insurer, so they start payments.

We support the bill because if the bill were passed, it would allow the insurer of this vehicle to contact the other insurer. They would find out some of the scenarios, that the same scenario existed with the same service suppliers: they used the same rehab facility, the same body shop, everything was virtually the same. This accident even took place in the same area.

What I'm getting into is an identified social network. It creates linkages among the possible participants in the suspected fraud, but because they couldn't contact the other insurer, because they didn't want to be found to be in bad faith, they started payment. They would have informed IBC, and we would get to it at some point.

The problem that exists here is that by the insurer contacting the other insurer immediately when they had these red flags coming up, they could quickly ascertain that this is a very suspicious situation, and they're in a position to at least stop payment and deny the claimant, stop the bleeding. With the way things stand right now, because they don't want to be accused of bad faith, they start payments right away.

Finally, just to give you an idea of how serious this is in the province of Ontario, the Insurance Bureau of Canada has the statistics that the average accident benefits payment per person in Ontario is $31,785. This is the staged collision capital of Canada, right here in the GTA. The average in Atlantic Canada for accident benefits is $8,668, and in Alberta it's $3,766.

A major problem that exists here is the identity theft we're seeing with service suppliers. That's a key reason these individuals get these accident benefits forms submitted to the insurers; there's a lot of forgery going on.

I've been in the insurance industry for 35 years as a senior investigator and a solicitor and negotiator, so I'm very familiar with the general practices. An underwriter will look at prior accidents. They won't necessarily be contacting the other insurer for facts. They'll see that there was another accident.

What we do find is that in order to camouflage this a lot, they change the ownership of the vehicle that seems to be involved in let's say a multitude of different staged collisions. That really creates difficulty for an underwriter to know that this same individual was involved in suspicious circumstances.

They intentionally change the scenario as to ownerships of vehicles and run between different insurance companies. All the underwriter is going to see is that possibly there was another accident, but they won't get into the specific investigation of the facts of that particular accident.

Actually, no, and I have to say that this is a concern. If an injury is not reported at the scene of an accident...and these individuals intentionally do not report, in a lot of cases, at the scene of the accident and will go to a collision reporting centre afterward. At that point in time there will be a report taken.

The insurers have access to that report, but again, it's very limited information. All it's basically going to say is a left-turn situation. They probably charge the driver doing the left-turn situation that was staging this collision intentionally. It would just show the fact that the other driver drove into them. That's all they're going to have.

Actually, at the time, initially after the accident, they won't even have the names or facts of occupants, because the police didn't attend the scene of the accident. They've got up to 24 hours for these occupants to show up, let's say at a collision reporting centre, and claim that they were involved in an accident. In a lot of cases they don't even bother, and the next thing you know they've hired counsel and put the insurer on notice.

Well, I think the example I gave is.... The insurance industry is quite well trained in terms of first contact and the type of information they need to receive. They're just going to start acquiring what I gave you in terms of certain information: the time of the accident, where it took place, how many occupants, the nature of the damage, how soon was the tow truck driver there, did somebody recommend the body shop, how much damage was there to your vehicle, where were you going at the time, where were you coming from, how do you know these individuals, things like that.

They're going to start developing certain red flags. Based on those red flags, it doesn't mean that there's fraud; it means that it requires further investigation. This is the point that a prudent individual, having reasonable grounds, such as what I suggested, should be contacting the other insurer and saying, “What's happening here?”

In terms of another problem that exists, in 2014 IBC investigated on an ongoing basis 52 rings. A ring investigation usually involves at least 20 to 50 suspected staged collisions that we have to investigate. On top of that, we took 14 new ones. Even though the insurer reports it to us, we can't take these claims right away. They're going to sit until we can get to them, and unfortunately these payments are continuing all the way through. By the insurer being able to contact the other party, they would be able to stop the payment at this point in time.

Basically, we have a problem with the fact that people are constantly being asked for their consent. They are exposed to a lot of information and I am afraid that with the proposed amendment, businesses will simply include more information, and ask for additional consent, and so on. I have the impression that we are not solving the problem.

If there are concerns with regard to the consent given by minors, that should be handled in another way, regarding the type of consent to be obtained from a minor through his or her parent or parental authority. Our concern is more in regard to obtaining the consent of an adult. We have to look at the issues and target them more precisely.

The proposed amendment is probably going to create confusion. That said, I think that fundamentally, the acts raise problems in the sense that everything has to be authorized by consent. In my book, I suggest that we protect less personal information and target the potential uses of information that can be nefarious for individuals. The issue of consent has been well managed over the past 10 years. I don't want to call the whole bill into question, but I think that the proposed amendments are simply going to create confusion.

We need this type of provision. But I am a little worried that they will be used in fishing expeditions, so to speak. Information will be exchanged, to see if something comes out of it and if a file has to be opened. That is our concern.

I listened to the testimony of representatives of the insurance companies and other organizations. I understand the fraud issues. We need to target the type of situation that could arise with that type of information exchange. We have to ensure that before an exchange is authorised, there is a reasonable doubt, and that a certain amount of investigative work has already been done and that this is not a fishing expedition.

I think part of the solution could also be transparency. If there were transparency during an investigation it could happen in some cases that one did not obtain the necessary information. Could transparency be a factor afterwards? We would to think about that, but I feel transparency would be appropriate in this type of exchange between organizations, whether we are talking about insurance companies or other private sector businesses.