Mr. Speaker, I am pleased to have the opportunity to speak to Bill S-4, the digital privacy act. The bill would make significant improvements to Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, or PIPEDA.
One aspect of the digital privacy act that has not received a lot of attention is how the bill would help reduce red tape for businesses. Reducing red tape for Canadian businesses saves money and helps encourage greater investment in our economy. I would like to focus my comments today on these important changes.
We must always bear in mind that strong privacy legislation is not just good for everyday Canadians; it is also good for businesses. In our rapidly evolving digital economy, personal information is becoming increasingly valuable, creating tremendous new opportunities for businesses to innovate and develop new products and services.
Canadians will not provide their private information to businesses if they do not trust that it will be protected. At the same time, if the rules are too cumbersome and complex for businesses to manage and show no clear benefit to consumer privacy, then companies will struggle to implement them. It is for these reasons that the digital privacy act proposes a number of common sense changes to help businesses protect privacy in a way that does not hinder their ability to conduct business.
All of these changes make sense. They were all identified by the Standing Committee on Access to Information, Privacy and Ethics when it conducted the first statutory review of PIPEDA back in 2006. Businesses have been waiting a long time for these changes, and it is important that we move now to implement them. I would like to briefly touch on each of these important changes.
The first changes are in relation to business transactions. Currently, if a company wants to examine personal information as part of its due diligence—for example, if a business is thinking of buying a magazine and would like to look at the list of current subscribers—it first needs to obtain the consent of each individual subscriber. This requirement not only presents a tremendous burden for the company but is also often impractical, given the confidential nature of most prospective business transactions.
Bill S-4 fixes this problem by creating an exception to the requirement for consent that would allow businesses to share information in this context. This must be done in such a way that the privacy interests of those involved are protected.
Under the digital privacy act, information could only be shared for the purpose of assessing the feasibility of the transaction. If the transaction did not proceed, the information would have to be destroyed or returned. If the transaction did proceed, then the individuals would have to be informed.
This amendment would implement a recommendation made by the standing committee during the first statutory review and is modelled after a similar exception that is currently in place in Alberta and British Columbia under their private sector privacy laws.
In addition, the amendment has widespread support among stakeholders. Ms. Éloise Gratton, a lawyer with the Borden Ladner Gervais law firm, appeared before the Standing Committee on Industry, Science and Technology. She said:
I offer my support to two important provisions in the bill: mandatory breach notification and business transaction exception.
The next important amendment I would like to highlight is the change to how business contact information is dealt with under PIPEDA. Currently, certain types of business contact information are not defined as personal information. Specifically, a person's business title, address, and telephone number are not considered personal information and are therefore not regulated.
As was pointed out during the first statutory review of PIPEDA, this would present an obvious problem: only a few bits and pieces of information are considered to be business contact information under PIPEDA. A person's work email address or fax number or their LinkedIn account or a business Twitter handle are all considered personal information.
The digital privacy act would correct this problem by creating a technology-neutral definition of “business contact information”. It would do this by being inclusive of all types of communication points of contact, such as social media applications like Twitter and LinkedIn. With this change, a sales manager would now be allowed to share an employee's work email address with a client without having to get permission first. This would create a better balance between protecting privacy and allowing information to flow in a digital economy. At the same time, the act would continue to protect business contact information if it is used outside of a business context.
Another important amendment in the digital privacy act would be the clarification around the rules for when someone's personal information is included in their work product. An example would be when a garage mechanic signs off on a vehicle's inspection or a work estimate. The fact that the mechanic signs off on the estimate would mean that it now contains his personal information.
Currently, under PIPEDA, a business must obtain an individual's consent to use or share any work product he or she creates if it contains the individual's personal information. Again, this seems like a rather silly and unnecessary bit of red tape. Bill S-4 would fix this problem by ensuring that businesses can use their employees' work without getting the employees' consent.
Finally, the digital privacy act would ensure that insurance companies can use witness statements when assessing or processing any insurance claim. Witness statements provided to the police or other investigating authorities may contain personal information. For example, if I were to witness someone running a red light that results in a car accident, my statement to the police would include personal information. Currently, under PIPEDA, an insurance company processing any claims for the accident would need to get the consent of anyone named in my witness statement in order to use it. Such a requirement would create the potential for someone who breaks the law to use privacy as a shield to avoid responsibility for his or her actions.
The digital privacy act would fix this problem with an amendment that would enable an organization to obtain a witness statement without having to obtain the consent of an individual whose personal information is contained within it. However, this experience would only apply when the information is necessary to assess, process or settle an insurance claim.
In addition to strengthening privacy protection in Canada through measures like mandatory data breach reporting and stronger enforcement powers for the Privacy Commissioner, which had been discussed extensively in this place, the digital privacy act would also make a number of important changes that would cut red tape for Canadian businesses.
I hope hon. members will join with me in supporting a balanced and carefully considered bill that would dramatically improve Canada's privacy law.