Industry committee  Yes, I can, thank you. Good morning.

Industry committee  Thank you very much. Good morning, committee members. Thank you for the opportunity to address you on the matter of Bill S-4, which proposes amendments to PIPEDA. My involvement with this legislation goes back to its genesis with the CSA model privacy code and the subsequent in

Industry committee  I think they will be helpful, for the reasons that the Privacy Commissioner has already expressed to you. I don't think that compliance agreements go far enough, though, in terms of giving the Privacy Commissioner the powers he needs to enforce compliance with this legislation.

Industry committee  Those are two questions. I'll address the first one, which is the specific one about proposed section 6.1. I think the useful thing to do is compare the proposed wording that you have in front of you with the text that was in the previous version of this bill, Bill C-12. The ve

Industry committee  I was doing this bit of turn of phrase taking the legislation as it applies to security breach notification and applying it to companies. I think you need to step back, look at the big picture, and say, “Is this going to be effective? Are there sufficient incentives for industry

Industry committee  Absolutely; I would say that the first and foremost most important purpose of breach notification is to put in place incentives for the companies themselves to put in place the security measures that prevent the identity theft from happening in the first place. But I'm concerned

Industry committee  I would say to stop focusing on consent so much and put in place some hard limits. Let's acknowledge that consent is unrealistic in many situations, and put in place hard limits on what companies are allowed to collect in the first place and use and disclose later on.

Industry committee  Perhaps I could jump in.

Industry committee  I have three points in answer to your question. I agree with everything Dr. Geist just said. The first point is to put in place hard limits where we can. For example, when it comes to protecting children and seniors, just say in the act under subsection 5(3), which is already a

Industry committee  No, I did not. I was not invited and I did not appear or participate at the Senate stage. However, I believe both CIPPIC and PIAC did, and they made a number of the same points that I'm making now. When I look back at the debates, many of these points were made at that stage, a

Industry committee  No, I did not.

Industry committee  Sure, thanks. I actually wouldn't call it a subjective test. I think it still is an objective test; the problem is that it's left up to industry to apply that test, and there is not enough oversight or incentive to ensure they are doing it properly. One solution is to have the

Industry committee  Yes. To be fair, it is an objective test. If you look, for example, at proposed subsection 10.1(1), it says: An organization shall report to the Commissioner....if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an in

Industry committee  I think Dr. Geist made a good point in that respect in suggesting that we look at the anti-spam law this government has passed and the attention it's getting from industry. Dollars matter, but it's also the process. With fines, quasi-criminal fines, that require prosecution and

Industry committee  If you're going to rely on consent and you want it to be meaningful, then forget negative-option or hidden consent. Everyone knows that no one has the time to read or the ability to figure out where it is hidden in the 20 pages of fine-print legalese. Let's go with real, meaningf