Mr. Speaker, the legislation would provide the foundation on which the government would hold businesses to account on behalf of consumers.
It would establish new rules to protect privacy online and backs them up with more effective compliance and enforcement tools in order to strengthen the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.
Under this bill, the Privacy Commissioner would be provided with a new set of tools that would help him or her perform oversight and ombudsman functions. At the same time, the courts would continue to enforce the law and could impose significant new penalties which have been added to encourage compliance with key requirements.
Through PIPEDA, the Privacy Commissioner has the responsibility for overseeing compliance with the act. He has the power to investigate, enter premises and compel evidence. He can mediate a settlement, make recommendations and publish the names of those who contravene PIPEDA. In short, the commissioner investigates complaints and works with companies to ensure they comply with the act, but enforcement action is left to the Federal Court. Indeed, the Privacy Commissioner and the Federal Court have worked together effectively to administer and enforce the rules set out in the act.
The commissioner or any other individuals can apply to the Federal Court for a hearing on any matter related to the original complaint. It is the court, not the commissioner, that has the authority to order the organization to change its practices. The Federal Court could also award damages to individuals when their privacy has been violated and they have suffered some form of harm as a result. Under the bill before us, both the courts and the Privacy Commissioner would be given new tools, but the responsibility for enforcement action would still remain with the court.
As has been mentioned, new offences and penalties would be created for three areas relating to the new data breach rules contained in this legislation. The courts can assess penalties for: deliberately failing to report a data breach to the commissioner, as prescribed by the act; deliberately failing to notify an individual of a data breach, as prescribed by the act; and deliberately failing to maintain or deliberately destroying data breach records, as prescribed by the act.
In keeping with existing offences under PIPEDA, these offences would be subject to a fine of up to $10,000 on summary conviction and up to $100,000 on indictment. I would point out to the House that the organization can be assessed a penalty for each and every individual it fails to notify. Given the large number of individuals who could potentially be affected by a data breach, this is a very serious penalty indeed.
At the same time, the bill would give the Privacy Commissioner the tools he or she needs to monitor the impact and efficacy of these new rules and serve as an ombudsman to help reduce the number of cases that go before the courts. The Privacy Commissioner would be given the authority to negotiate compliance agreements with organizations.
Let me give the House an example. Let us assume that following an investigation or audit, the commissioner determines that an organization should take certain corrective actions to remain compliant with the law. Under Bill S-4, the organization could agree to take these actions in exchange for the assurance that it would not be taken to court over the previous breach of the rules. However, the organization would also be legally accountable for any commitments made under the corrective action.
Compliance agreements are an effective mechanism for holding organizations accountable. They allow the Privacy Commissioner and organizations to avoid costly court action and provide flexibility to suit the particular circumstances that an organization finds itself in.
I would remind the House that compliance agreements are already being used by the Commissioner of the CRTC under the anti-spam legislation and the Minister of Health under the Consumer Product Safety Act.
By adding compliance agreements to the tool box of the Privacy Commissioner, we would strengthen consumer privacy protection without fundamentally changing the framework of PIPEDA or the role of the commissioner.
However, in order for this provision to work effectively, further changes to the regime are required. For example, under PIPEDA as it now stands, the commissioner has only 45 days after he or she reports the results of an investigation to make an application to the Federal Court to seek an order to take corrective action. Experience has shown that this is not enough time for the commissioner to work with companies to implement his recommendations and there is the risk that companies would simply stall in implementing the required changes until the 45-day period runs out.
On top of these challenges, 45 days is likely not enough time to negotiate and implement a compliance agreement. That is why the bill would increase the period of time to make an application to the court to one year from the time the commissioner reports the results of his or her investigation.
Finally, I would point out that the bill would give yet another tool to encourage compliance with the data breach provisions. It would give the commissioner the power to publicly disclose wrongdoing of an organization, if he or she considers it to be in the public interest to do so. Under the current act, the commissioner has limited provisions that involve the right to make public information concerning the personal information handling practices of the organization.
However, currently, he or she cannot publicly report when, for example, organizations fail to co-operate with an investigation or repeatedly stall implementation of the recommendations to fix privacy problems. Bill S-4 would broaden the types of information the commissioner could make public concerning non-compliant organizations. This is an important tool in encouraging compliance with the act.
As technology and the marketplace evolve, the commissioner and the courts need more effective tools to help hold organizations accountable for their handling of personal information, for the protection of Canadians and their privacy.
The bill before us addresses this need with four new tools. First, it would assign significant penalties for wilful disregard of the important new data breach notification requirements. Second, it would give the commissioner the authority to negotiate compliance agreements. Third, it would extend the length of time the commissioner or individuals have to bring matters before the court to one year. Fourth, it would give the commissioner greater authority to share more types of information about non-compliant organizations with the public.
I hope honourable members will join me in supporting these new tools for the courts and Privacy Commissioner by supporting Bill S-4.