International Trade committee  I'll do my best. Thank you, Chair. Good morning. As you've heard, my name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I appear today in a personal capacity, representing my own views.

Industry committee  I'll close by responding to what Mr. Lake noted regarding what happens when witnesses talk about getting it right. I will just provide two things, first to note that the government has painted this legislation as being pro-consumer—obviously part of the digital economy strategy—which makes it clear what the intent of the legislation is.

Industry committee  What we lack is both tough penalties, as we've talked about, and order-making power for the commissioner to order someone to comply with rules, as is found even at the provincial level. The prospect of negotiating compliance agreements is certainly better than what we have now. I don't think anybody disputes that.

Industry committee  I don't have expertise in the Quebec law per se, but there is a series of exceptions, quite clearly, even as it stands now under PIPEDA. So when we talk about substantial similarity between the provinces that have these kinds of laws, I think what you're saying is somewhat consistent with that.

Industry committee  I think that if every time a USB key went missing, there were requirements to disclose, then yes, you would find that organizations would be spending a lot of time disclosing. However, if we look back at the Bill C-12 and Bill C-29 standard, that's not the standard we talked about.

Industry committee  Thanks for raising that. It's worth noting that this whole notion of security breach disclosure actually originated out of California, with the idea of creating sort of the perfect world of incentives for companies to do a better job of securing the information, because they don't want to have to go through the cost and potential embarrassment of disclosure.

Industry committee  No. What I'm referring to is an organization that has my information. There may be instances where they are disclosing it either to law enforcement or to private sector organizations. In the law enforcement context, if it's a warrant, and post the Spencer decision, it's quite clearly now going to be a warrant, or should be a warrant.

Industry committee  No, not a data breach at all. The language used in Bill S-4 is exceptionally broad. It refers to the ability to disclose this information—here, I can try to call it up for you—where it is reasonable for the purposes of investigating a breach of an agreement or a contravention of a law that's either been, has been, or might even be committed, and where it is reasonable to think that if the individual were made aware of that disclosure, it would compromise the investigation.

Industry committee  There's no reference to internal organizations nor internal fraud. The new (d.1) is talking about “a breach of an agreement or a contravention of the laws of Canada or a province” that's either been committed or, even, that might be about to be committed. It's anticipatory: I think something might happen, and so I'm going to move forward.

Industry committee  What I said was that I'm concerned about disclosure without a warrant and without consent, or without knowledge. Warrants involve situations where we have disclosures to law enforcement. Where this law applies is not to law enforcement, but rather to voluntary disclosures to non-law enforcement.

Industry committee  Sure. I'll do that. I'd also like to just note a couple of things. The commissioner did not appear before the Senate committee on Bill S-4. Because of the long delays in getting a commissioner appointed at that time, there was no commissioner, but people from that office were in a position to appear because it had been studied.

Industry committee  Sure. Perhaps I'll start by highlighting a couple of things. We've talked, obviously, about the security breach rules and about the voluntary disclosure, but focus for a moment on penalties and order-making power. I think that to an expert in privacy who came to Canada and learned that our federal commissioner does not have order-making power, that would be, frankly, stunning.

Industry committee  The answer, of course, is yes, security breach disclosure does help address identity theft, for the obvious reason that it creates a stronger incentive for organizations to do a better job of securing the information they collect. It provides notification to users in some circumstances so they can take appropriate safeguards and try to mitigate against the potential harm that could occur from identity theft.

Industry committee  I'll jump in quickly by saying I think you raise a great point. Even today, I think we've already heard a bunch of potential suggestions about the kinds of things we could do that go beyond the four squares of the legislation itself. With respect to Spencer, I think it points to what would be a really problematic outcome, one in which we find that where law enforcement is seeking information, they obtain court orders, whereas where that same information might well be disclosed in a private sector circumstance, there is no oversight or no limitations other than those found in the legislation.

Industry committee  My concern with the security breach disclosure provisions, which I think quite clearly are long overdue—we've been passed by by so many other countries and jurisdictions on this—is frankly that we had it better in the earlier iterations of this bill, in Bill C-12 and Bill C-29, which, as I'm sure you know, created a two-step process.