Industry committee  Yes, I do.

Industry committee  Yes, I do.

Industry committee  Sorry, I'm not sure what you're referring to. Is it something in Bill S-4?

Industry committee  Well, certainly giving the Privacy Commissioner the power to make and enforce compliance agreements is a step forward. It's not nearly as great a step as should be in here, but it's something. Certainly having the security breach notification regime, some kind of regime in place,

Industry committee  If you're going to rely on consent and you want it to be meaningful, then forget negative-option or hidden consent. Everyone knows that no one has the time to read or the ability to figure out where it is hidden in the 20 pages of fine-print legalese. Let's go with real, meaningf

Industry committee  I think Dr. Geist made a good point in that respect in suggesting that we look at the anti-spam law this government has passed and the attention it's getting from industry. Dollars matter, but it's also the process. With fines, quasi-criminal fines, that require prosecution and

Industry committee  Sure, thanks. I actually wouldn't call it a subjective test. I think it still is an objective test; the problem is that it's left up to industry to apply that test, and there is not enough oversight or incentive to ensure they are doing it properly. One solution is to have the

Industry committee  Yes. To be fair, it is an objective test. If you look, for example, at proposed subsection 10.1(1), it says: An organization shall report to the Commissioner....if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an in

Industry committee  No, I did not. I was not invited and I did not appear or participate at the Senate stage. However, I believe both CIPPIC and PIAC did, and they made a number of the same points that I'm making now. When I look back at the debates, many of these points were made at that stage, a

Industry committee  No, I did not.

Industry committee  Perhaps I could jump in.

Industry committee  I have three points in answer to your question. I agree with everything Dr. Geist just said. The first point is to put in place hard limits where we can. For example, when it comes to protecting children and seniors, just say in the act under subsection 5(3), which is already a

Industry committee  I would say to stop focusing on consent so much and put in place some hard limits. Let's acknowledge that consent is unrealistic in many situations, and put in place hard limits on what companies are allowed to collect in the first place and use and disclose later on.

Industry committee  Absolutely; I would say that the first and foremost most important purpose of breach notification is to put in place incentives for the companies themselves to put in place the security measures that prevent the identity theft from happening in the first place. But I'm concerned

Industry committee  I was doing this bit of turn of phrase taking the legislation as it applies to security breach notification and applying it to companies. I think you need to step back, look at the big picture, and say, “Is this going to be effective? Are there sufficient incentives for industry