Mr. Speaker, I am pleased to rise today and speak in support of Bill S-4, the digital privacy act.
Last April the Minister of Industry announced Digital Canada 150, an ambitious plan for Canadians to take full advantage of the opportunities of the digital age. It is a plan that sets clear goals for a connected and competitive Canada in time for our 150th birthday in 2017.
One of the five pillars of Digital Canada 150 is protecting Canadians. Our government understands that in order for Canadians to take advantage of opportunities in the digital age, we must protect Canadians' private information in the digital world.
Previously our government has taken action to protect Canadians by introducing Canada's cyber security strategy and Canada's new anti-spam law. Bill S-4 adds to our record of standing up for Canadians in the online world.
This bill introduces measures to update PIPEDA, the Personal Information Protection and Electronic Documents Act, by setting out specific rules that businesses and organizations would have to follow whenever personal information was lost or stolen.
I was pleased to see that the member for Terrebonne—Blainville supports this bill and I am looking forward to her support when the bill comes to a vote in the House. In fact, the member said about the bill, “We have been pushing for these measures and I'm happy to see them introduced.”
Data breaches continue to be a major challenge to the privacy and security of citizens around the world. For example, this past summer JPMorgan Chase & Co., one of the largest banks in the U.S., was the victim of an attack that affected the accounts of 76 million households and seven million small businesses. Home Depot recently confirmed that 56 million payment cards were impacted in a breach of its payment card systems that lasted for five months.
Worldwide, there were between 575 million and 822 million data breaches in 2013. In the U.S. alone, nearly 92 million records were compromised in 2013.
Currently PIPEDA contains no obligations for businesses or organizations to tell customers when their personal information has been lost or stolen. I am pleased to tell the House that Bill S-4 introduces measures to address this issue. The bill creates new requirements under PIPEDA for reporting losses, theft, or other unauthorized access to personal information that may result from accidental or malicious activity.
These provisions would ensure that Canadians can take action to protect their personal information in the event of a privacy breach, while also encouraging businesses to adopt better information security practices. Organizations that deliberately ignored these requirements would face penalties of up to $100,000 per offence.
Let me explain how the new provisions will work.
Under Bill S-4, an organization that suffers a privacy breach would be required to notify affected individuals if there is a risk of significant harm. The organization would also have to report the breach to the Privacy Commissioner of Canada.
In fact, the interim Privacy Commissioner, Chantal Bernier, said that this bill contains “...very positive developments for the privacy rights of Canadians”. She was pleased that the government had addressed issues such as breach notifications.
The bill identifies the factors an organization would have to consider when determining whether or not there was a real risk that some form of significant harm would occur as a result of a privacy breach.
First, the organization would have to consider the sensitivity of the personal information. Second, the organization would have to consider the probability that the stolen information would be misused—for example, whether the data was encrypted, how much time had passed between the occurrence of the breach and its detection, and whether the cause of the breach was a malicious attack or was accidental.
Let me say again that by law, an organization would be required to notify individuals as soon as a breach was confirmed. If an organization determined there had been a breach, it would also have to notify other organizations in order to reduce the potential risk for the individual whose information was compromised. For example, if a store experienced a breach of its customer records, it would have to notify the relevant credit card companies or financial institutions.
Let me draw the attention of the House to a key element of these data breach requirements, which is that the bill would require organizations to keep records of all data breaches and provide this information to the Privacy Commissioner upon request. This would give the commissioner the ability to oversee data breach reporting and notification requirements. The Privacy Commissioner would be able to request these data breach records at any time. There would be no need for him to be conducting an audit or investigation when he requests them.
Bill S-4 includes heavy fines for companies that knowingly contravene these new requirements. Companies that deliberately failed to report a data breach to the commissioner or failed to notify individuals would face fines of up to $800,000. This could be up to $100,000 for every individual not told. Similarly, companies that deliberately cover up a data breach by not keeping these records or by destroying them could also face fines of up to $100,000.
Some might ask why there is a need for penalties related to data breach notification, given that most organizations comply with the Privacy Commissioner's guidelines for voluntary notification already. The government recognizes that many organizations already notify individuals of data breaches in a responsible manner; however, some do not. These penalties would target the bad apples, those organizations that willfully and knowingly disregard their obligations or, worse, cover up a breach.
Canadians know that our government takes their privacy concerns very seriously. I look forward to the continuation of this debate as we work with the opposition on how we can best protect Canadians in our digital world.