Industry Committee on April 21st, 2015

Evidence of meeting #40 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was amendment.

A recording is available from Parliament.

On the agenda

Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act

MPs speaking

Also speaking

John Clare Director, Privacy and Data Protection Policy Directorate, Department of Industry

Christopher Padfield Director General, Digital Policy Branch, Department of Industry

Lawrence Hanson Assistant Deputy Minister, Science and Innovation, Department of Industry

12:05 p.m.

Director, Privacy and Data Protection Policy Directorate, Department of Industry

John Clare

Thank you, Mr. Chair.

I would point out to the committee that this exception to the requirement for consent is very narrow. It's very specific to a data breach scenario. Experience has shown that when a data breach occurs, the ability of an organization to share the fact that information has been compromised with other third parties allows them to mitigate or reduce the risk of harm.

The perfect example is a retailer that has the credit card numbers of their customers compromised and exposed in a breach. The retailer, by notifying the credit card company, could reduce the risk of harm by saying that they have had 50,000 credit card numbers compromised. The credit card company can put a flag on those accounts, monitor them for unusual activity, and actually help the retailer identify the contact information for those individuals so they can go out and directly notify them that a data breach has occurred.

What this provision does is provide an exception only in that circumstance. When you're disclosing personal information to a third party in the context of a data breach so they can help reduce or mitigate the risk of harm, you don't need to get consent to do that. In my example, you don't need to go to the customer and ask if it's okay to tell the credit card company that the customer's credit card has been stolen.

12:05 p.m.

Conservative

The Chair Conservative David Sweet

Is there any other conversation? Those in favour of amendment PV-18...?

(Amendment PV-18 negatived [See Minutes of Proceedings])

Ladies and gentlemen, I'm pretty certain now that these are all the proposed amendments for clause 10.

(Clause 10 agreed to)

(Clauses 11 and 12 agreed to)

We're now on amendment NDP-13.

12:10 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

I just want to specify that this is a corresponding amendment to a future amendment. It's a little bit tricky because we haven't voted on the other amendment yet. The overall intent here is to give the Privacy Commissioner more powers, specifically order-making power, so that we can force organizations that aren't complying with PIPEDA to have an incentive to comply by the commissioner's investigation resulting in something more than a simple recommendation—an order that would be respected.

Now, I understand there are some good actors and we definitely want to encourage organizations to not have to get to the point where there's an order that's made or that there is some good will. There's a lot of good will out there. I think the series of amendments I want to put in place allow organizations, following the commissioner's order, to have a certain delay to be able to comply with that order without there being any repercussions. After that, obviously there is some wiggle room for some exceptions and some time extensions to be applied, but if the organization has not complied with that order within a certain amount of time, the commissioner would have the ability to bring that matter to court, which could then impose fines. We've heard this from multiple privacy advocates. This is very important because what we're seeing right now, especially in this age of big data where we have international organizations coming into Canada, is Canadians using these services but then completely disregarding any recommendations coming from the Privacy Commissioner's office. It's extremely problematic.

I see I'm supposed to speak to this amendment, but I guess I'll just speak to NDP-14 too because they are related. I think we need more than just compliance agreements. I think compliance agreements are a good start, but they don't go far enough. They don't go far enough to ensure that the Privacy Commissioner has the powers that he needs to be able to make sure that PIPEDA is being enforced and for organizations to have real incentives to respect the privacy of Canadians, which unfortunately is not happening right now. We've heard witnesses say the compliance agreement is a good start. I think everyone will say that, but we need to go further to ensure in this age of big data that privacy is protected.

I'm just going to perhaps specify that I'll speak to NDP-14, and I guess NDP-15 at the same time, then. I'm speaking to NDP-13, NDP-14, and NDP-15 altogether since they're very much related.

Thank you.

12:10 p.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

I will, not surprisingly, ask the officials to comment on all three of those amendments—NDP-13, NDP-14, and NDP-15.

12:10 p.m.

Director General, Digital Policy Branch, Department of Industry

Christopher Padfield

It may also be useful to consider NDP-16 and NDP-18. I think they're all part of the same order-making framework.

Just on the context of order-making powers, it was an issue that was discussed during the first parliamentary review. During the review they found that the current ombudsman model wherein the commissioner works cooperatively with organizations has been very effective in addressing issues.

I think that's evident in the recent Bell case. People are familiar with the relevant advertising program that Bell has been operating where they were collecting personal information about their customers from various sources, so their television watching habits, their telephone use habits, tracking their Internet browsing habits, and anonymizing it all by creating these profiles that they were attaching to other demographic information. The commissioner, after 170 complaints he received in 2013, undertook a broad-based review. I know, having had discussions with officials from Bell, there's a lot of back and forth with Bell and the commissioner's office, and the commissioner came out with these findings and asked that Bell fundamentally change the model, which had been an opt-out approach, where individuals would have to actively decide not to and could not decide to opt in to the proposal.

They also asked the commissioner to give another series of recommendations, all of which Bell complied with. If one looks over the history of PIPEDA and the number of times the commissioner has actually had to take anyone to court, there have been 17 occurrences over the full course of PIPEDA. Of those, 16 were settled before court, and on the 17th, the commissioner actually lost the case in court. There has not been a whole host of activity going towards court under the current model and I think it's shown, with Bell being a good example, how effective that's been.

12:15 p.m.

Conservative

The Chair Conservative David Sweet

Is there any other discussion?

Madame Borg.

12:15 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you.

I'd like to add, following Mr. Padfield's comments, that there has been testimony from previous privacy commissioners that the current court process is extremely complicated and often very troublesome for the Privacy Commissioner's office to go forward.

You can comment on that if not.... Perhaps we have different opinions about that as well, which is fine.

12:15 p.m.

Director General, Digital Policy Branch, Department of Industry

Christopher Padfield

To add, I think that's part of the rationale in Bill S-4 and the additional powers that were given to the commissioner with that longer period of time to go to court. Under PIPEDA previously, it would have been 45 days, but Bill S-4 extends that to a year. It gives the commissioner more of a timeframe to go in.

It also expanded the commissioner's name-and-shame powers, if you like. The commissioner can more publicly report on a broad range of activities that companies are undertaking, which I think was one of the issues in the Bell case. The commissioner made his findings public, which he's not required to do, but he thought it was in the public interest to make them public.

I think Bill S-4 provides additional authorities and powers that still fall within that ombudsman model that has been so effective, and doesn't move the commissioner into a regulator role and more of a conflictual role with the private sector.

April 21st, 2015 / 12:15 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

I have perhaps one more comment.

I'm not sure if it would be appropriate to consider NDP-16 at this time, since it would be after clause 16 that we should consider it.

I don't know how you want to—

12:15 p.m.

Conservative

The Chair Conservative David Sweet

We can vote on those now.

12:15 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Okay.

I would like to speak directly to NDP-16, if that's okay.

12:15 p.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

I think the witnesses referred to all them up to 18, so do you want to do NDP-16 and NDP-18 at the same time?

12:15 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

NDP-17 and NDP-18 don't—

12:15 p.m.

Conservative

Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB

NDP-17 is in a different area but NDP-18 kind of fits in the same category, does it not?

12:15 p.m.

Director General, Digital Policy Branch, Department of Industry

Christopher Padfield

Yes.

12:15 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

That's fine. We can link in with that as well.

I don't know. It's because they're different clauses.... That's the only reason I would have separated them.

I would like to speak to NDP-16 because I think it's important as part of the package of amendments that I'm trying to put forward in order to give the Privacy Commissioner order-making powers. We all know that the Privacy Commissioner can conduct an audit when there is some indication that there may be some violations of PIPEDA. This amendment seeks to include any orders that would follow an audit and recommendations to be made public. It is in a certain sense a corresponding amendment, but I think it is an important one because it would make those orders public. Again, name-and-shame power is important, so that kind of ties into there.

Thank you.

12:15 p.m.

Conservative

The Chair Conservative David Sweet

And on NDP-18, Madam Borg?

12:15 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

It's a very technical amendment. I don't see the necessity to speak directly to it.

12:15 p.m.

Conservative

The Chair Conservative David Sweet

Okay.

We'll now then consider NDP-13, NDP-14, NDP-15, and NDP-16, but we'll vote on them separately.

All those in favour of NDP-13?

(Amendment negatived [See Minutes of Proceedings])

(Clauses 13 and 14 agreed to)

Now we have amendment NDP-14.

(Amendment negatived [See Minutes of Proceedings])

(On clause 15)

We have NDP-15, which has already been addressed.

(Amendment negatived [See Minutes of Proceedings])

Now we'll go on to PV-20.

12:20 p.m.

Green

Bruce Hyer Green Thunder Bay—Superior North, ON

Thank you.

Mr. Chair, this is essentially a reiteration of Madam Borg's Bill C-475, which we think is a great model on this topic and we would like to acknowledge her hard and competent work on this file.

The creation of compliance agreements is a step in the right direction, but order-making powers need some form of direct regulatory action such as administrative and monetary penalties. Without such an incentive—you might even call it a threat—it is difficult to see why an organization would enter into such an agreement. Reforms are needed, with real penalties to ensure compliance.

Thank you, Mr. Chair.

(Amendment negatived [See Minutes of Proceedings])

(Clause 15 agreed to on division)

(Clause 16 agreed to on division)

12:20 p.m.

Conservative

The Chair Conservative David Sweet

NDP-16 has been addressed by Madam Borg. Is it okay to go ahead and vote on it, Madam Borg?

12:20 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Yes.

(Amendment negatived [See Minutes of Proceedings])

(Clauses 17 to 20 inclusive agreed to on division)

(On clause 21)

12:20 p.m.

Conservative

The Chair Conservative David Sweet

We're on clause 21, and we have NDP-17.

Madam Borg.

12:20 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

I think at this point, because these amendments, NDP-17 and NDP-18 are corresponding amendments to other amendments of mine that were already defeated, they're strictly irrelevant. I will withdraw them.

12:20 p.m.

Conservative

The Chair Conservative David Sweet

Thank you, Madam Borg.

(Clause 21 agreed to on division)

(Clauses 22 to 27 inclusive agreed to on division)

Shall the short title carry?