:
Thank you very much, Mr. Chairman, and I appreciate the opportunity to come back, as you said, with my officials to talk about Bill , which for me is a very important piece of legislation for a number of reasons: the context of the legislation in terms of Canada's digital policy moving forward but also our responsibility as a government, as a Parliament, to update our privacy legislation to protect Canadians.
But before I do that, I gather there were some changes in the committee membership, so I want to congratulate those of you who have been tasked to come onto this committee. As you know, the Department of Industry...and therefore your oversight of our activities, your advice, and constructive criticism, are of course an important part of our parliamentary function. To those of you who are on the committee, I look forward to working with you over the coming months as we move forward on pieces of legislation like this one here.
[Translation]
Thank you, Mr. Chair, for inviting me to appear before the committee today to discuss an important bill, the Digital Privacy Act, which is intended to better protect Canadians' personal information online.
[English]
You know, our government is focused on the mandate that we were given by Canadians back in 2011, to create jobs, focus on a growing Canadian economy and, as Minister of Industry, to move forward with an effective digital policy for Canada.
Also, we know that any government's plan that is centrally focused on the economy must of course have a robust engagement to strengthen Canada's digital economy. That's why last year I unveiled Digital Canada 150, our government's plan that sets clear goals for a connected and competitive Canada. It will help Canadians participate and succeed in our digital economy. One of the key pillars under Digital Canada 150 is the need to protect privacy.
The is an essential part of that goal. Our government understands that a strong digital economy requires strong protections for Canadians when they surf the web and when they shop online. The digital privacy act will modernize Canada's private sector privacy law by introducing important new protections for Canadians online. It sets clear rules for how personal information can be collected, used, and disclosed. It requires organizations to tell Canadians if their personal information has been lost or stolen and imposes heavy fines on companies that deliberately break the rules. It gives the Privacy Commissioner of Canada more power to enforce the law and to hold offenders to account. The bottom line is that it delivers a balanced approach to protect the personal information of Canadians, while still allowing information sharing to stop illegal activity when it occurs.
These are much-needed changes to Canada's private sector privacy law, the Personal Information Protection and Electronic Documents Act, or more commonly known as PIPEDA. PIPEDA “sets out the ground rules for how private sector organizations...collect, use or disclose information in the course of commercial activities” across Canada. This should not be confused with the Privacy Act, which deals with how the Government of Canada handles the personal information of Canadians.
Let me share with the committee four areas where the will significantly improve PIPEDA.
First...data breaches. Unfortunately, this is an all-too-familiar topic for Canadians in our digital age.
[Translation]
It may surprise the committee members to learn that, under the current legislation, businesses are not obligated to notify Canadians of security breaches involving data under their control.
In other words, if a company's data is compromised and a hacker gets a hold of your credit card number, the company is not under any obligation to notify you. That's a serious problem.
[English]
Last December, for example, Target revealed that a data breach had compromised millions of its customers' credit and debit card information. In September, Home Depot announced that a data breach perpetrated by unknown hackers left as many as 56 million debit and credit card customers across North America vulnerable to fraud. On October 10, Kmart disclosed, in the United States, that almost all of its 1,200 stores throughout the States had been attacked by hackers, putting credit card and debit card details of customers potentially in jeopardy. Later in October, Staples announced a suspected breach of its customers' credit card and debit card information as well.
Canadian online consumers need stronger laws to protect them from similar fraud here. The digital privacy act will make it mandatory for an organization to tell individuals if their personal information has been lost or stolen and whether or not it puts them at any risk.
[Translation]
Under the Digital Privacy Act, organizations will be required to notify individuals whose personal information has been lost or stolen and let them know whether they are at risk of harm as a result.
Companies will have to inform Canadians of the steps they must take in order to protect themselves, such as changing their credit card PIN or email password. These are crucial safeguards to protect Canadians, and yet they are not currently in place.
[English]
The has been praised by consumer rights groups and those in the retail industry for its balance. The Marketing Research and Intelligence Association has said that they support the mandatory breach notification requirements that are in the bill. The Canadian Marketing Association has said that they support the changes to breach provisions.
The will make it mandatory that organizations also report these potentially harmful breaches to the Privacy Commissioner. When there's a privacy breach, not only is the individual informed by law; the Privacy Commissioner is also informed by law. In fact it will be mandatory for all organizations to keep records of all data breaches as well. If the Privacy Commissioner makes a request for these records, they must be handed over. Once law, organizations that deliberately cover up privacy breaches and destroy records will face fines of up to $100,000 for every person or client that they intentionally fail to notify.
The Office of the Privacy Commissioner of Canada is on the record as supporting these amendments as being in the best interest of Canadians. In addition, in my home province, the B.C. privacy commissioner has also recommended to their provincial government that they adopt the same approach that we have taken in Bill .
Second, our clarifies the rules around obtaining consent to protect vulnerable Canadians online, particularly children and seniors, when companies ask to collect and use their personal information. For example, when the owner of a website for children wants to gather information about visitors to the site, the owner will need to use language that a child could reasonably be expected to understand. If the child can't be expected to understand how the information will be used, the child's consent would not be deemed valid. The owner would need to get consent from a child's parent.
This amendment makes it clear for companies how consent works under the act. This is something about which there has been confusion. This legislation does make it clear so that they can adopt best practices.
If an organization is targeting a product or service at a particular segment of the population, such as children, then any attempt to obtain consent must be adjusted accordingly.
Again, Mr. Chair, the Marketing Research and Intelligence Association agrees with these changes, saying that it “fully supports the provisions in Bill S-4 which provide added clarity for organizations when they seek the valid consent of an individual”. Given the increased use of smartphones and tablets among young people, the stronger rules included in this bill will make sure that individual Canadians, especially children and adolescents, can fully understand the potential consequences of sharing their personal information.
[Translation]
The Digital Privacy Act further protects Canadians by setting out certain exceptions in which personal information can be shared when it is necessary to protect an individual from harm.
In certain situations, it is in the public interest to share an individual's personal information without their consent. For instance, the information could be shared for the purpose of reuniting parents with a sick or injured family member when they are otherwise unable to contact that family member.
[English]
Another example would be by allowing banks and financial institutions to share personal information with law enforcement or family members when they suspect cases of financial abuse, especially to protect against elder financial abuse. The Canadian Bankers Association has applauded the amendments contained in this bill that would allow banks and financial institutions to advise public guardians, law enforcement, or family members when they have evidence of financial abuse, particularly of elders.
Mr. Chair, I want to pause here to address one issue that was raised in question period when this bill was debated in Parliament before being referred to this committee. That's with respect to the Supreme Court of Canada's decision in the Spencer case. Some have suggested that PIPEDA, and the by extension, in some way may violate the Charter of Rights of Canadians and need to be changed.
This is patently false. PIPEDA does not create any search or seizure powers for law enforcement. It does not require companies to hand over information to law enforcement. It only allows private sector organizations to voluntarily provide information to law enforcement and government agencies when they have the legal authority to obtain it. This decision does not mean that PIPEDA or Bill is unconstitutional, and no changes to Bill S-4 are required in that regard.
Some privacy advocates, including the Privacy Commissioner, have called for greater transparency on the part of businesses with respect to how often and under what circumstances they provide information about their customers to police.
Openness, of course, is one of the key principles underscoring PIPEDA, and nothing in PIPEDA prevents Internet service providers or other companies from publishing such transparency reports. I'm pleased to see that over the past year a number of Canadian companies have done just that.
[Translation]
Lastly, under the Digital Privacy Act, the Privacy Commissioner will have new powers and tools to enforce the act.
[English]
The former interim Privacy Commissioner supported this legislation when she said that the digital privacy act “will strengthen the privacy rights of Canadians. We welcome proposals to introduce a mandatory breach notification regime and the compliance agreement provisions that will make it easier for our office to ensure that companies meet the commitments that they have made. We strongly support these provisions.”
I would point out as well that before we drafted this legislation and before it was presented to the Parliament of Canada, we consulted with the Privacy Commissioner's office to ensure that this legislation satisfied their concerns with regard to privacy and that we were taking all reasonable steps to ensure that concerns that had been raised in the past about this type of reform were recognized and considered in the drafting of this legislation. That's why I'm grateful for the Privacy Commissioner's support of this legislation.
Under the digital privacy act, the commissioner will now be able to negotiate voluntary compliance agreements with organizations to hold them accountable for their commitments to correct privacy problems. In addition, the Privacy Commissioner will now have one year instead of 45 days to potentially take organizations to court if they don't play by the rules. The digital privacy act will also give the commissioner more power to name and shame, or to make information public where organizations do not play by the rules. This change will make sure that Canadians are informed and aware of issues that affect their privacy. Organizations either comply with the law or they will face public scrutiny.
Our government is balancing the privacy needs of Canadians and the ability of businesses to legitimately access and use personal information in their day-to-day operations. The Canadian Marketing Association has expressed their support overall for this legislation when they said that it “supports the government's effort and this bill to update Canada's private-sector privacy law”.
The Canadian Bar Association said, “We express our support for the digital privacy act”.
As we move forward with the implementation of the act, I look forward to working with the Privacy Commissioner to provide all the necessary clear and practical guidance to help with full compliance. The digital privacy act, as I said, is a much needed update to Canada's private sector privacy law, particularly in our modern digital economy.
[Translation]
The bill gives Canadians the assurance that their information will be equally protected, no matter who they chose to do business with in Canada.
Thank you. I would be happy to answer any questions the committee members have.
[English]
I would certainly like to again thank committee members for their consideration of this legislation. As you know, it's Bill , not C-4, and this legislation has already been adopted by the Senate. It received quite deep and thorough study on the Senate side. This was treated, I think, with a great deal of respect and the necessary intensity, and I was pleased that it was adopted by the Senate. I look forward to this committee giving it the scrutiny that it deserves.
Thank you.
:
Digital Canada 150 has five pillars to it, 39 specific action items, and one national policy for all of Canada.
The first of the five pillars is connecting Canadians. It's making sure that we're all bound together and fully participating, as the second largest country in the world in size but 37th largest in terms of population. In a wireless sphere, with our connecting Canadians program and our investment on a P3 basis in infrastructure all across the country, it's that all Canadians are connected going forward. As well, of course, with our wireless policies, it's that we have world-class connectivity and competitive pricing with adequate competition, which is why we've taken the approaches we have on spectrum auction and spectrum transfer policy.
The second pillar is the digital economy. You'll remember when we first did our digital policy efforts in our first term in government, we talked about a digital economy strategy. Well, at the time, it was around the margins of the worst recession since the Second World War, and, of course, everything had the language of an economic policy and economics. But the truth is that a digital economy strategy, in my view, is a bit too narrow of a lens to put on a broad digital policy for a country. That said, there are specific measures that a government can take in order to ensure that the digital economy is moving forward. This speaks to it a little bit, but there are other measures as well.
One pillar is connecting us. The second pillar is the digital economy and the opportunities that exist within it. A third pillar is making the government more digital than ever before: the Open Data Institute that we have, the OpenScience initiative, making sure that government information is more accessible online than ever before, and taking those initiatives that Tony Clement, as President of the Treasury Board, has tackled.
The fourth pillar is protecting Canadians online, so: connecting Canadians; digital economic strategy; more digital government than ever before; and protecting Canadians online, which this legislation is central to.
The fifth and the final pillar is the one that I find most fun and interesting. Once you connect everybody, once you've made it more secure, you're taking full advantage of the digital economic opportunities, and the government is walking its talk and hopefully adopting the more digital approach to the way it does everything, then you breathe life into all of this with digital Canadian content. A central point to all of this is pushing our museums to be more digital, ensuring that the public broadcaster, the Canada Council for the Arts, and everybody who is engaged in telling Canadian stories to Canadians about Canada, our history and aspirations and all of these things. This country only survives if we have better understanding of our history, better opportunities to talk about our aspirations for the future. Breathing life into the content side is the fifth and final pillar.
None of these pillars stand on their own. If any one of these pillars was the entirety of the digital policy, it would lack comprehension. This is essential for us to move forward.
:
Your caution is right. I know you just became a grandfather, I think again, very recently. Congratulations on that.
This is obviously an important part of the government's obligation as everything shifts to digital, and everybody is doing everything with tablets and smartphones at their convenience.
The approach to the legislation is about the consent that's offered. As you know, in the world of big data and in the world of collecting that data, we need to make sure children understand the risks that are online. Not all of this, of course, can be done or frankly should be done as a quasi-parenting function of the government. We all have an obligation to protect ourselves, those we care about, and the broader society.
But we also have institutions and bodies, such as the Privacy Commissioner, the Government of Canada, through legislation like PIPEDA, or through privacy legislation that we have as the Government of Canada more broadly when we're dealing with citizens' interaction with the government to ensure we are protected. This legislation takes steps to ensure, when a child is online and giving consent or sharing information, that the language used is, frankly, plain-spoken and can reasonably be expected to be understood by a child. I know that's a very subjective way of saying it.
Let's say, for example, that a child goes onto a website of a cartoon figure and provides his personal email address, home address, or phone number. That information was drawn out of the child. He's using the website in a way that was duplicitous or not clear, or the child might have given that information in a way...that was duplicitous, and a parent later finds out about it. That is reported to the Privacy Commissioner. The Privacy Commissioner can then take action. The entity putting up that website is forced to immediately take down the website and re-offer that information in a more responsible way.
Yes, there is some subjectivity in all of this, but the approach we've taken is to entrust the Privacy Commissioner with this approach, based on experiences in other jurisdictions around the world, in the trial and error they've had in trying to put in place this kind of public policy. Those firms that don't comply with this certainly can face penalties from the government, or by extension the Privacy Commissioner, and certainly some name-and-shame capacities. You would think that some of these firms, if they're engaged in this kind of behaviour.... If the Privacy Commissioner were to issue a report saying they were engaged in an approach of data collection about our kids that is unsafe and that violates the privacy of our kids, I think that would be a death sentence to that firm.
The powers that are in here are incredibly powerful in the free market for firms that are engaged in this kind of a process. The fine, as my deputy has just signalled to me, is $10,000 up to $100,000 either per data breach or per abuse of the privacy of individuals, including kids.
:
Mr. Chair, I'll be very short.
I want to talk about two things. One is the basic objectives of the act, and the Minister referred to them. I also want to talk about some of the principles and objectives in terms of the design of the bill, which I think are important to understanding why the bill is the way it is.
[Translation]
Bill makes four important changes.
[English]
First, it requires companies to tell Canadians if their personal information has been lost or stolen, and they've been put at risk as a result.
Second, in the area of consent, it clarifies that actions taken to obtain consent must be appropriate to the target audience. We heard earlier about the particularly vulnerable group of children. In the area of consent it modifies the very limited circumstances—and we would want to stress, very limited—when personal information may be shared without consent in order to balance against other important public policy objectives, for example, if a bank or financial adviser suspects that one of the clients is a victim of financial abuse.
Third, Bill gives the Privacy Commissioner a range of new tools and greater flexibility to enforce the act.
Fourth, it take steps to reduce the burden on businesses and to allow them to use this information in relation to their ongoing work and due diligence relating to various business transactions.
On the design side—and this is what I think is probably most important as an administrator to bring to your attention—it is really two concepts. I think this came up in the earlier discussion. One is the issue of balance and the other is the issue of principles. This is a bill based on principles.
As we make amendments and look to the future we want to maintain a concept of balance and build upon a principle-based approach that has made PIPEDA successful. These principles are set out in the annex to the original act and include important concepts such as accountability, consent, accuracy, safeguards, and openness.
In light of some of the earlier questions I would stress that openness is a principle that we constantly look to and applies, for example, in the question of the use of information between businesses. Of course it is all about ensuring that citizens have the right to know.
In terms of balance, I'll make a couple of quick points. Ensuring Canadians have the information they need so they can take action to protect their privacy is a priority. Equipping the Privacy Commissioner with the information and tools needed to protect Canadians and increase compliance is a priority. Providing clear rules and a minimal administrative burden on the private sector is a priority. These are not priorities that always mesh and the question of balance comes into play.
In conclusion I want to say that while every country takes a unique approach to addressing privacy—the United States, for example, has a more regulatory-driven approach and the European Union a much more proscriptive approach—we think we have a world-leading approach to the administration of privacy here in Canada and that's reflected in these amendments. We hope to continue to be a leader internationally in this regard.
Thank you, Mr. Chair.