:
Good morning, ladies and gentlemen.
Bonjour à tous.
Welcome to the 36th meeting of the Standing Committee on Industry, Science and Technology. We are studying Bill , an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act.
We have before us today, from the BC Freedom of Information and Privacy Association, Vincent Gogolek, the executive director.
We were going to have the Insurance Bureau of Canada here, but they're stuck on the tarmac in Toronto in a plane that was not able to go. They're trying to get on another plane, but of course they're not going to be able to make it to the meeting. We have already rescheduled them by phone for another meeting.
We also have before us Michael Geist, Canada research chair in Internet and e-commerce law at the University of Ottawa. He is testifying as an individual.
By teleconference we have Philippa Lawson, barrister and solicitor. She's coming to us from Whitehorse in Yukon.
Can you hear us okay, Ms. Lawson?
Thank you, committee, for having us here.
You have our submission and there are a number of links in it to related documents. I won't take you through that. I'll just raise some of the points in there, and hopefully that will leave more time for questions on what is a very important piece of legislation.
I also want to say that we appreciate the fact that the committee is hearing from witnesses before second reading. We take this as a positive sign that the government is in favour of and open to amendments above and beyond its usual openness in the normal course of proceedings.
The first thing I'd like to talk about is the Spencer decision of the Supreme Court of Canada from last year. I'd like to concentrate on the B.C. aspect of it. As you know we have a special legislative committee that looked at our substantially similar legislation: the Personal Information Protection Act. The committee came out with recommendations for changes to our equivalent of section 7. You have the link to that report, I believe, through our submission.
The approach they suggested was a narrowing of the scope of the B.C. section.
The special legislative committee in B.C. also raised concerns—some of which we raised with them, as did the Information and Privacy Commissioner, Elizabeth Denham—about the question of substantial similarity between the provincial and federal acts, so there is some discussion in there.
In addition to the B.C. committee and the B.C. commissioner, the federal Privacy Commissioner, Mr. Therrien, has also indicated he has some concerns with section 7, and has suggested some changes.
The second point I'd like to make is something that we raised not before this committee, but before the access to information, privacy and ethics committee relating to political parties. Political parties are not covered at the federal level by privacy legislation. The large amounts of data collected by political parties are essentially unregulated. I don't think this is suitable. I don't think this is appropriate, and I think it diminishes the confidence that Canadians have both in the privacy law, because of this very large hole, but also in terms of what happens to their personal information.
I offer to you, by way of contrast, what we have in British Columbia where our provincial political parties are covered by the Personal Information Protection Act. Our commissioner has conducted investigations into complaints that were brought to her by individuals about the conduct of political parties. The commissioner investigated, reports were issued, and practices were changed, and yet the political system continues. There has not been a complete collapse of the political system or the political parties in British Columbia. I offer to you, as an example, what can be done and the kind of thing I think could be easily done by including the political parties under PIPEDA.
The final point—and I'll be quite brief because I believe that Ms. Lawson will be dealing with this as well—is a report we are currently working on for the federal Privacy Commissioner called “The Connected Car: Who is in the Driver's Seat?” The report will be released March 25 in Vancouver and we'll be happy to provide you with copies.
I'll leave Ms. Lawson to deal with some of the particulars. Of course we won't be revealing the report here today, but there are a number of issues related to privacy, of course, and consent and consumer choice. I think members of the committee will find that report very interesting, and we hope it will inform your work as well.
Good morning. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I've appeared before this committee on a number of occasions on digital policy issues, including privacy, and I appear today, as always, in a personal capacity representing only my own views.
Actually I previously appeared before the Senate committee that was studying Bill and my remarks then focused on three broad issues.
First, I offered my support for several important provisions in the bill, particularly the additional clarification on the standard of consent, the extension of the deadline to take cases to the Federal Court, and the expansion of the powers of the Privacy Commissioner to publicly disclose information related to findings or other matters. Second, I identified issues that I think need amendment or improvement: the security breach disclosure rules, particularly the abandonment of a two-step disclosure process that was found in some earlier bills; the compliance agreements provisions, which I think could be strengthened with penalties or order-making power; and the expansion of voluntary disclosure of personal information between private sector organizations. Third, I talked about some missing provisions, namely, what I think is the need for mandatory transparency reporting.
My time this morning is limited, so I'm going to delve deeper into just two issues, the voluntary disclosure provision and transparency reporting.
On voluntary disclosure, as you know, Bill expands the possibility of personal information disclosure without consent or court oversight to anyone, not just law enforcement. As you know, the bill features a provision granting organizations the right to voluntarily disclose personal information without the knowledge or consent of the affected individual and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation, or even the prospect of a future violation.
This broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval. I believe this runs counter to the court decisions that we've seen from the Federal Court, which have sought to establish clear limits and oversight over such disclosures as well as the spirit of the Supreme Court of Canada's Spencer decision, which ruled that Canadians have a reasonable expectation of privacy with such information. In fact, if we examine the leading cases involving disclosure of customer information in private litigation—not to law enforcement but in private litigation—such as in Warman v. Fournier, BMG v. Doe, Voltage v. Doe—virtually all emphasized the need for safeguards before customer information is disclosed, even as part of an investigation.
A House of Commons committee did recommend a similar reform in 2006, but that recommendation was rejected at the time, both by the Conservative government and the Privacy Commissioner of Canada.
I recognize that some have suggested that both Alberta and B.C. have similar provisions and that no harm has resulted from their approach. I'm not so sure. I don't think anyone can reasonably conclude that the provincial approach has not resulted in privacy risks or harms. It's important to bear in mind that the disclosure itself is not necessarily revealed to the affected individual. Indeed, the point is often to disclose without knowledge or consent, meaning the affected individual will not know that their personal information has been disclosed. Asking for evidence of harm when the harmful conduct is kept secret from those who are affected creates an impossible evidentiary burden. In fact, even if you believe that the disclosures might come to light through court processes should it reach that point, and we know that oftentimes the disclosures won't ever reach the point of a court case, provincial privacy law such as we find in Alberta and B.C. rarely involves having these kinds of cases come to light. It's no coincidence that the leading cases involving personal information involve PIPEDA, because those cases typically involved telecom companies, Internet service providers, websites, and banks, all largely governed through PIPEDA.
In other words, the existence of this kind of provision at the provincial level actually tells us very little about how it will be used under PIPEDA. The reform here, I think, is clear. There is no compelling need for a change. The current system has been in place for many years and there are dozens of organizations that are covered by the investigative bodies exception. It may have been a bit of a hassle 10 years ago, but now the reform makes little sense. Further, if there are specific industries that can point to concerns, I think those can be addressed through a narrow amendment, but the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed.
Second is the need for transparency reporting. The lack of transparency in reporting requirements associated with personal information disclosures, I think, is a glaring omission from the bill. The revelations last year of over a million requests and over 750,000 disclosures of personal information in a single year, the majority of which happened without court oversight or a warrant, point to, I think, an enormously troubling weakness in Canada's privacy laws.
More recently, the Privacy Commissioner of Canada tried to conduct an audit of RCMP requests for subscriber information and was largely forced to abandon the audit when the data there were found to be inaccurate and incomplete.
Now, there are some companies, such as Rodgers and Telus, that have begun to issue transparency reports, but there are others, most notably Bell, that have not. Most Canadians have simply no awareness that this is taking place. This deficiency can be addressed, I think, through two reforms.
First, the law should require organizations to publicly report on the number of disclosures they make without knowledge or consent and without judicial warrants. This information should be disclosed in aggregate on a quarterly basis—every 90 days. I'm not talking about disclosing it to each individual immediately; we're talking about its being on an aggregate basis and a quarterly basis.
Second, those organizations should be at some point in time required to notify affected individuals within a reasonable time. Leave aside the necessity to keep it secret, if necessary as part of an investigation; once it is concluded or a reasonable amount of time has passed, either get a court order to continue the secrecy or disclose the disclosure to the affected individual.
The adoption of those kinds of provisions—transparency reporting and that disclosure—would, I think, be an important step forward in providing Canadians with greater transparency about the use and disclosure of their personal information.
I welcome your questions.
Good morning, committee members. Thank you for the opportunity to address you on the matter of Bill , which proposes amendments to PIPEDA.
My involvement with this legislation goes back to its genesis with the CSA model privacy code and the subsequent initiatives to legislate voluntary standards. As a lawyer with the Public Interest Advocacy Centre at the time, I was a public interest representative on the committee that drafted the code. I later advocated for legislation that eventually took the form of PIPEDA.
I have been closely involved with PIPEDA ever since, first in my role as a consumer advocate with PIAC and later as director of CIPPIC, both of whom I understand you have already heard from. In particular, I have conducted studies of private sector compliance with PIPEDA. I have lodged a number of PIPEDA complaints with the Privacy Commissioner. I have taken the Privacy Commissioner to court in order to establish that she had jurisdiction to enforce PIPEDA against foreign corporations acting in Canada. I published a study of security breach notification laws in 2007. I've been urging the government to adopt mandatory security breach notification laws since 2003.
Today I am speaking on my own behalf as a lawyer and privacy advocate. The last formal submissions I made on PIPEDA reform were in 2008 in my role as director of CIPPIC. Those submissions focused on three issues: security breach notification, protection of minors, and compliance and enforcement. The analysis and proposals made in those comments remain apt today, and I would be happy to provide copies of that submission to anyone who is interested.
I'm happy to see that the government has seen fit to address all three of these issues in Bill , but I am disappointed that the measures in each case fall far short of what is needed. I will address each of these three topics briefly, but before doing so I would like to address an elephant in the room. That elephant is consent.
There is a pretense that companies are obtaining informed consent from customers to the collection, use, and sharing of their personal data. But anyone who takes the time to study what is actually going on will quickly see that this is, to a large extent, a fiction and that meaningful consent is rarely obtained from consumers.
Negative option consent is commonly used but rarely brought to the attention of customers. Consent is in fact often assumed simply by virtue of use of the service. Changes to privacy policies are simply posted on the company website and customers are expected to inform themselves. No one really expects individuals to read through lengthy, complex terms of service for every transaction. People simply don't have the time. If they do take the time to read the terms, they may find that they are notionally consenting to have their personal data used for purposes such as—and I'm quoting here from privacy policies that I've looked at—research, marketing, product development, and business purposes. In further violation of PIPEDA, many companies are refusing to deal with customers who won't agree to unnecessary uses of their personal data, such as marketing.
A reality check is needed on what is happening in the marketplace with so-called customer consent. In the meantime, proposed section 6.1 is a helpful qualification on what the law already requires. It may have some positive effect on what is, in my respectful submission, a widespread disgrace.
However, the current wording of proposed section 6.1 could actually have a perverse effect on the protection of children or seniors. If you read the clause, you will see that it fails to protect vulnerable populations to whom an organization's activities are not directed. All that a company needs to do to exploit children is to direct its activities to adults and then turn a blind eye to the fact that children are signing up. A simple fix is to revert to the earlier wording of this clause found in Bill . However, if if the aim is to protect children, a much more effective approach is simply to prohibit certain uses of personal data about children.
I have a few words on breach notification. This is long overdue, and it will certainly be an improvement on the current situation. But are the proposed rules going to be effective? Breach notification is about more than notifying individuals. An equally important goal is to create incentives for organizations to put in place strong security safeguards.
In order to create such incentives, there needs to be a real risk of significant financial harm to a corporation from failing to put in place adequate security measures. This is the test you should be applying to your assessment of the proposed breach notification regime: is there a real risk of significant financial harm to corporations from non-compliance?
I am not convinced there is. Fines apply only to failure to report or failure to keep records and require cumbersome proceedings and proof of intent. Civil lawsuits are too costly to make sense in most cases, and the Privacy Commissioner may be dissuaded from using publicity for this purpose as a result of subsection 20(1.1), which prohibits disclosure of breach notification reports. I do not understand that section.
Until there are real financial incentives for corporations to take appropriate measures to prevent breaches from happening in the first place, and to otherwise comply with privacy laws, non-compliance with PIPEDA will continue to be a cost of doing business in Canada.
I'd like to finish with a few comments on private investigations. I am very concerned that, if the proposed changes to the current investigative body regime exception go through, this bill will actually set back privacy protection in Canada.
I will not repeat the able submissions of my colleague Dr. Geist on this subject, but let me just point out that in the new world of cheap data storage and powerful data analytics, the only limits on how far companies will go in their efforts to detect fraud, criticism, or contractual breaches will be what you put in this law. With today’s technology, it’s less costly to gather more data and to apply analytical tools to a large database than it is to restrict the intake of data to that needed in the first place.
In this context, insurance companies and other companies will, no doubt, argue that it's reasonable for them to conduct what amounts to broad and deep surveillance of their customers in order to detect fraud.
Paragraph 7(3)(d.2) would allow just that. It requires no formal investigation. The disclosure just needs to be reasonable, not even necessary as in the previous formulation in Bill . This provision would open the door to routine sharing of personal data among organizations based on nothing more than the always present risk of fraud. Moreover, there would be no transparency or accountability requirements. It would be a major setback for consumer privacy.
I understand that this amendment was based on the Alberta model, but I looked at the Alberta model, and subsection 20(n) of the Alberta statute is not as permissive as this. It actually limits sharing to certain kinds of organizations.
I urge you to remove these clauses from the bill and stick with the current investigative body regime. I also urge you to adopt the transparency measures that my colleague Dr. Geist recommended.
Thank you very much.
The Spencer decision, as I think we've all recognized and have seen raised now concerning a number of bills and committees, finally brought to a head a long-standing, simmering issue around the question of whether there was a reasonable expectation of privacy and subscriber information. The Supreme Court of Canada quite clearly left no doubt that there is.
Bill C-13, the lawful access bill, which of course has now been passed, and Bill S-4 were I believe both drafted at a time when there was some amount of uncertainty. Government in particular, I think, took the view that they could argue that there was not a reasonable expectation of privacy in that information and that, therefore, either warrantless disclosure or voluntary disclosure was consistent with the state of the law.
That uncertainty changed last June when the Supreme Court of Canada issued its Spencer decision. My view is that the spirit of that decision, which clearly recognizes that there is a reasonable expectation of privacy of the information...so much so that we now see law enforcement shifting towards a world that recognizes this point, and which has to obtain a warrant before they get the information. That recognition surely ought to be consistent with what we put in legislation within something such as Bill S-4.
The problem with Bill S-4, drafted before Spencer, is that it runs completely counter to it. The expansion of voluntary disclosure without condition, as many other courts in other kinds of cases have said, without court oversight to me appears to run directly against the spirit of Spencer.
While Spencer of course deals with a law enforcement situation and here we are dealing with a private sector situation, the information itself is the same. It's subscriber information, and the question is under what circumstances we disclose. Moving towards expanding that disclosure through voluntary measures runs directly counter to what I think the Supreme Court of Canada has identified as the appropriate standard for disclosure.
:
I was doing this bit of turn of phrase taking the legislation as it applies to security breach notification and applying it to companies. I think you need to step back, look at the big picture, and say, “Is this going to be effective? Are there sufficient incentives for industry to comply?”
When I say “comply”, I don't just mean reporting the breach and keeping the records of it; I mean complying by putting in place adequate security measures in the first place. I would think that what we're trying to do, first and foremost, is to make sure that companies put in place reasonable security safeguards. You need incentives for that, and in the private sector those need to be financial incentives.
I'm not sure if that was your question, but the point I was making is that I'm concerned that we may not have adequate incentives. A very strong incentive is negative publicity, and I don't understand why the Privacy Commissioner is being dissuaded in this legislation, under section 20, from publicizing those reports. Why don't we make them public? Why isn't transparency reporting part of transparency disclosure?
The submissions that CIPPIC made in 2008 on this issue were that we should establish a public registry of security breaches. Why are we treating these as confidential?
:
My concern with the security breach disclosure provisions, which I think quite clearly are long overdue—we've been passed by by so many other countries and jurisdictions on this—is frankly that we had it better in the earlier iterations of this bill, in Bill and Bill , which, as I'm sure you know, created a two-step process.
The first step is notification to the Privacy Commissioner of a material breach, and that, of course, didn't include the necessity of the real risk of significant harm. It was more a matter of the breach itself.
Then you get into the secondary question of under what circumstances you go down the much more challenging avenue of having to disclose this breach to everyone who's affected, recognizing that there may be circumstances in which that's appropriate and others in which it's not.
What we've done here, by removing that and creating a higher threshold for all disclosures, I think means that systemic breaches don't get disclosed. It means that, many times, important material breaches simply don't get disclosed, and organizations that have underlying problems don't have to fess up at all.
I think we recognize that in some circumstances we have the incentives for organizations not to disclose because of the costs and the embarrassment factor. We also want to ensure that we don't have so many disclosures that consumers are receiving notifications on a daily basis, and they simply tune all of that out.
There is a balance to be struck, but I think we did a much better job, the government did a much better job, of striking that balance, particularly for things like systemic breaches within an organization, by saying, “Surely that's the sort of thing that we would want the Privacy Commissioner's office to know about”, and yet we've effectively removed that in this bill. It's hard to understand why.
That's the area that I am most concerned about. Every time we pick up our BlackBerry or whatever gadgets we have, I agree that we don't read it. I would suggest that very few people read any of that. It's just an automatic check. It's a nuisance, and we just agree to it—until we find out that we have no protection, or very little protection. I think that's what we are trying to do here: to look at how to protect the consumer.
I attended a conference on cybersecurity yesterday. Certainly the issues that were raised there about security, whether you're talking about the Internet and so on, somehow make Bill look like it's still nowhere near what it should be, or the kind of legislation we need to be putting forward to better protect Canadians. I think it's unrealistic, frankly, to think that with this legislation companies are going to be reporting all of these breaches and so on. I think they'll ignore it. I think a $100,000 penalty is insufficient for a significant breach, based on the kinds of things we're learning through this process.
Certainly, Dr. Geist, your comments about transparency and disclosure would go toward improving it, as far as the real risk that consumers are facing is concerned, before they get into things like identity theft and violation of their basic rights. I don't want all my information shared with every Tom, Dick, and Harry who wants it. If we are going along with Bill —and, from my party's perspective, I'm not sure that we are, but at least we're trying to make some improvements—what else would you suggest we need to put in here to make it stronger and more enforceable? I would ask that of all three, given my timelines here.
:
Sure. Perhaps I'll start by highlighting a couple of things.
We've talked, obviously, about the security breach rules and about the voluntary disclosure, but focus for a moment on penalties and order-making power. I think that to an expert in privacy who came to Canada and learned that our federal commissioner does not have order-making power, that would be, frankly, stunning. His provincial counterparts have it. His counterparts around the world have it. Frankly, it's embarrassing for our federal commissioner to go to international meetings of other similarly placed data protection and privacy commissioners and find that he simply doesn't have order-making power as his counterparts do. To me, compliance agreements are a step in the right direction, but order-making power is actually the more appropriate solution.
With respect to penalties, I think you're right. I think tougher penalties do make a difference. If anything, the government has provided us with a good example of how that can happen: the anti-spam legislation, which of course is coming in for some amount of criticism, but I was a supporter of it. I was on the national task force that looked at this issue, and I appeared before a committee. I think one of the places where it gets it right is with tough penalties and a clear opt-in consent approach. It basically says that consent is a fiction at some point in time, but it's a particular fiction under PIPEDA. We somehow have reached the conclusion that things like negative option check boxes, the little boxes at the bottom of a web page that you're never quite sure if you're supposed to check or uncheck if you want to have your information used or not—it's oftentimes designed to be confusing—are appropriate as a standard of consent. That's bunk. I mean it's clearly not.
What CASL, the anti-spam legislation, tried to do, was up that with opt-in consent and real penalties. We saw the CRTC come forward with more than a million-dollar penalty against one organization just last week. Those are the kinds of penalties that get the attention of organizations. That's a higher standard with respect to consent that I think also clearly has an impact. In some ways we have a model—the government has passed it—with respect to commercial electronic marketing. What we need to do now is to take that sort of model and acknowledge that it ought to apply far more broadly with respect to privacy protection in the private sector.
:
I have three points in answer to your question. I agree with everything Dr. Geist just said.
The first point is to put in place hard limits where we can. For example, when it comes to protecting children and seniors, just say in the act under subsection 5(3), which is already a hard limit but is vague, that it include no marketing of children or seniors; no collection, use, or disclosure of personal data of children and seniors for marketing purposes. That's already in the marketing industry's code of conduct. Put it in the legislation.
The second point is on real consent. As Dr. Geist said, forget this fiction of negative-option consent. Require express opt-in consent for all non-essential uses of customer data, including marketing. What I found in my research is that companies across the board are now including marketing as one of their primary purposes of collecting our data in order to provide the service we've asked them to provide. They are now treating marketing as a primary purpose. They're certainly not getting express consent. In many cases they're not even getting negative-option consent; they're not even letting us opt out of that.
The third point is on order-making powers. As Dr. Geist said, penalties should be easy to impose. Penalties should not require intent, proof of intent, and quasi-criminal proceedings, but should be administrative monetary penalties such as what the anti-spam law is using.
Thank you to the witnesses here today.
I think each of the witnesses is aware that there have been hearings back to 2006, which I think Mr. Geist referred to.
PIPEDA was written in the 20th century. It's over a decade old and it needs to be improved. This is what Bill attempts to do.
Also, it is almost impossible to get unanimous support for any piece of legislation, so I think there has been a lot of energy that's gone into improving PIPEDA. Canadians want companies to tell them if their personal information has been lost or stolen and if they've been put at risk. I think that consent needs to be appropriate, particularly for target groups like children.
Dr. Geist, you've been involved with providing input to the Senate. You were involved in the hearings back in 2006.
My question is for Mr. Gogolek. When the Senate dealt with this at committee a year ago—not quite a year ago, but when the hearings at the committee in the Senate were beginning on Bill , did you appear as a witness? As you're aware, any legislative changes have to be supported in both Houses, and Bill began in the Senate and is now in the House of Commons. Were you a witness when this was dealt with at the Senate?
Chair, I think it would have been very helpful if these points had been made at both the Senate and the House.
My question relates to a presentation made by the commissioner. The commissioner made a presentation not quite a year ago, in June of last year, before the Senate committee as they were dealing with Bill , and then appeared before this committee on February 17.
I just want to read the summary of the commissioner. The commissioner does have new tools and greater flexibility to enforce PIPEDA. The commissioner said:
Overall, the introduction of Bill S-4 is a positive development for privacy protection in Canada. PIPEDA was written in the 20th century. It is more than a decade old. From a privacy perspective, the world has changed dramatically during this relatively short time. Passing Bill S-4 with a few adjustments will strengthen PIPEDA and help the Office of the Privacy Commissioner better protect Canadians while addressing the emerging privacy issues of the 21st century.
Also unable to be with us today, Chair, is the Insurance Bureau of Canada. They provided a submission to the Senate when this was dealt with last year and they've communicated their support for aspects of the bill, particularly the fraud prevention measures.
Generally, the committee has heard support for this, and it's important that we provide the protection Canadians want. Bill does that.
Do any of the witnesses here today have a critique of the commissioner's perspective in supporting Bill going ahead?
:
Sure. I'll do that. I'd also like to just note a couple of things. The commissioner did not appear before the Senate committee on Bill . Because of the long delays in getting a commissioner appointed at that time, there was no commissioner, but people from that office were in a position to appear because it had been studied. So the commissioner actually didn't appear on Bill S-4.
In terms of lengthy study, with respect, let's be clear. The committee began a review of this bill in November 2006, and by May of 2007 it released its report.
We got first reading of Bill in May 2010. A second reading took until October. There were never any hearings held on Bill C-29.
The next bill that was introduced was Bill , which was the second attempt at this bill. It sat at second reading for two years without moving forward. There were no committee hearings held on it.
We finally now have Bill , on which there were two sets of hearings. Four days were allocated to this piece of legislation within the Senate: one day for the minister to appear; another day for clause-by-clause; two days for hearings. So if we're going to talk to witnesses about not having appeared, frankly, there were very, very few witnesses who had the opportunity to appear at all. This is, with all respect, not a well-studied bill. It is a bill that has now come through three times, and in most instances there has been no study whatsoever. When the Senate had the chance to hear on this bill, there was not even a privacy commissioner in place to deal with it, due to the long delay in finding a new commissioner to replace Commissioner Stoddart and later acting commissioner Chantal Bernier.
With respect to the commissioner's support, yes, I too can cherry-pick particular comments from the Privacy Commissioner about where the commissioner supports the legislation, but I can also note that the commissioner's office has been consistent in saying that it finds it problematic with respect to voluntary disclosure, and yet that hasn't changed, and in identifying a number of other improvements.
So the question is this. Is this a well-studied bill that we ought to get on with? With respect, it is both not well studied and ought to be fixed. Canadians deserve better.
Thank you to all the witnesses.
I'm puzzled by the line of questioning by the previous member, because clearly it was the government's decision to, first of all, introduce this bill in the Senate and to give it very little review, with very few witnesses, very little oversight, and to take nine years, frankly, to develop this legislation. There's no excuse for that kind of delay.
There was an implicit criticism of these witnesses for not having offered their testimony at the Senate hearings, but there was no opportunity for them to do that. Having said that, their perspective, Mr. Chair, was covered.
:
Okay, super, thank you.
I do want to reiterate the point, through you, Mr. Chair, that the point of view that is being expressed by the witnesses here today, and the concerns that they're expressing about Bill were in fact offered to the Senate committee, but those changes that were recommended were not reflected in the bill that we see before us today. I'm assuming that's what we're being advised of here.
I think the witnesses are raising serious concerns and the Privacy Commissioner, himself, raised concerns about the scope of this bill.
Ms. Lawson, I want to start with you and ask you specifically about the subjective model proposed here for companies determining if there's been a mandatory data breach, disclosure on that. Can you advise us of your interpretation of what could happen with what's being offered in Bill , and how you would recommend tightening up that provision?
I actually wouldn't call it a subjective test. I think it still is an objective test; the problem is that it's left up to industry to apply that test, and there is not enough oversight or incentive to ensure they are doing it properly.
One solution is to have the Privacy Commissioner be able to review the breaches and determine which breaches require, for example, notification of individuals. This is the model that is being proposed by PIAC, I believe, and it's certainly one that would get around the problem of the industry itself determining whether or not a breach meets the threshold for reporting to the Privacy Commissioner and/or to individuals if you go with a different standard.
I think it is a problem. I guess you can call it a subjective standard, but the problem is that industry is making its own determination, and if you're going to go with that kind of model, then it's all the more important that you have strong incentives in place for industry to comply. Otherwise they won't. It's simply not in their interests, and that's what we're seeing. If you study any aspect of PIPEDA compliance right now, non-compliance is just a cost of doing business right now. That's a fact.
I'm disappointed that the Privacy Commissioner is not really acknowledging that and calling for order-making powers. It's something that's very disappointing to me. As I said already, I had to take the Privacy Commissioner to court in order to get her to exercise her jurisdiction at that time, and it seems that for some reason there is not the appetite that there should be in that office for order-making powers and more effective enforcement of this legislation.
:
I think Dr. Geist made a good point in that respect in suggesting that we look at the anti-spam law this government has passed and the attention it's getting from industry. Dollars matter, but it's also the process.
With fines, quasi-criminal fines, that require prosecution and proof of intent, even if they are high, the risk of a company being fined is very low.
What's much more effective are administrative monetary penalties, which can be imposed much more easily without the quasi-criminal process and proof of intent. That's the route we've gone with the anti-spam law and that is the route we should be going with for this law as well.
Another very strong incentive is civil lawsuits. If individuals are able to bring civil lawsuits or class action suits against companies, that can be a very strong incentive. It's not a strong incentive under this regime because it's too difficult to do so, because there are no damages for embarrassment in it. That's been taken out. It has to be humiliation, so it's a high standard, and there are not a lot of dollars an individual would get even if they were able to sue.
There are different ways. The third type of incentive is bad publicity, but once again we're not seeing that being used very often by the Privacy Commissioner. This regime—when you look at section 20, which does allow for disclosure by the Privacy Commissioner if it's in the public interest—starts out by saying that there shall be no disclosure of this breach through reporting.
Why not? Why not make that a transparency reporting thing? Why not use bad publicity?
So there are three types of financial incentives that can be used, and I don't feel that any of them are being used to the optimum under this proposed legislation.
:
What I said was that I'm concerned about disclosure without a warrant and without consent, or without knowledge.
Warrants involve situations where we have disclosures to law enforcement. Where this law applies is not to law enforcement, but rather to voluntary disclosures to non-law enforcement.
We've seen under PIPEDA, the existing system, the ability for organizations, where they are conducting investigations or potential lawsuits, to go to get the necessary court orders for disclosure of that information.
In a number of those kinds of cases what the courts do is to set real conditions around that disclosure. There is both oversight as to when those disclosures occur, and then clear limitations on how that information may be used, including to whom it may be further disclosed, and the need to destroy it—a whole series of conditions recognizing the privacy import of that information.
What this bill does is to expand voluntary disclosure of that information without court oversight and without any limitations.
:
No. What I'm referring to is an organization that has my information. There may be instances where they are disclosing it either to law enforcement or to private sector organizations.
In the law enforcement context, if it's a warrant, and post the Spencer decision, it's quite clearly now going to be a warrant, or should be a warrant.
In the private sector what this bill does is to say that we can disclose information on a voluntary basis without a court order and without any sort of court oversight.
I'm saying that, over the last number of years under PIPEDA, we've had cases where organizations have said that they want to identify who those subscribers are because they want to sue them, and there's an instance where they are conducting this investigation or have this legal process. The court examines the circumstances around whether there's an appropriate case to order that disclosure and sets limitations on the disclosures that can occur.
What Bill does is to expand the prospect of that kind of disclosure on a voluntary basis.
:
Thanks for raising that. It's worth noting that this whole notion of security breach disclosure actually originated out of California, with the idea of creating sort of the perfect world of incentives for companies to do a better job of securing the information, because they don't want to have to go through the cost and potential embarrassment of disclosure. At the same time, it creates incentives or protection for users because they become aware of these disclosures when they happen.
What we've got under Bill is such a high threshold, and I think Ms. Lawson referenced this as well, that if the standard is only a real risk of significant harm and we don't have big penalties associated with non-disclosure to begin with, at least if you're a larger organization, in many instances, I think it's going to be quite rational, frankly, for an organization not to disclose. They're going to ask, first, what's the risk that anyone will ever find out about this? Second, if they do happen to find out about it and someone shows that there was a real risk of significant harm, then we will face a penalty. But even there, the penalties are relative low.
So what the California law does is to say that we want to ensure that if we're going to err on one side or the other, it's will be to err on the side of trying to mitigate against identify theft, to err on the side of ensuring that there is better security, and by lowering the threshold. We tried to do that a little bit in Bill and Bill with the two-step process, so that at least you are made sure that the Privacy Commissioner would be aware of the circumstances where there's a material breach. But in doing away with all of that, I don't think it's just a fear that breaches will occur in Canada. I think these should be expected. And if you asked many Canadians, they would tell you, “Boy, I should have been told about that”. And yet they won't be because companies are going to err rationally, based on the way this law is drafted, on the side of not disclosing it.
:
I think that if every time a USB key went missing, there were requirements to disclose, then yes, you would find that organizations would be spending a lot of time disclosing. However, if we look back at the Bill and Bill standard, that's not the standard we talked about. It set a material breach as the standard.
You can debate whether or not that's the appropriate standard, but at a minimum it gets us at a number of breaches that this law will not. Moreover, it does so in a way that I think was good for companies too, because rather than companies being faced with this either/or of going to the expense and potential embarrassment of simply disclosing or not, it said as an intermediary step, let's discuss this on a confidential basis with the Privacy Commissioner's office and determine whether or not it warrants that broader disclosure.
Frankly, that was a good thing for organizations to potentially avoid having to make those broader disclosures, in some circumstances, and it provided the comfort of ensuring that users knew that, at a minimum, we had an advocate, the Privacy Commissioner, who was going to be made aware of these circumstances.
It's puzzling to me why this was removed in favour of a process that, frankly, does less to protect Canadians and, ultimately, actually can create larger costs for companies as well.
I found it interesting to listen to all of the testimony first before getting a chance to talk.
Ms. Lawson and Mr. Geist both made similar statements. I wrote down that Ms. Lawson said, “We should be getting it right” and Mr. Geist that “We have to get it right”.
Interestingly, of course, I think that when we have these hearings, “right” means “the way you want it”. Ultimately, there have been other witnesses who have come before committee and said very different things. If the definition of “getting it right” means, for example, agreeing with those who said that consent provisions go too far, which we heard in the previous meeting, I don't imagine you would think it means we're getting it right.
Someone said that our data breach reporting regime is too onerous. If we decided that was the direction to go in, I'm quite certain that neither of you would say that this is “getting it right”. When anyone uses this term, I always hearken back to our hearings on anti-spam and copyright and even UBB. People's definitions of getting it right are very different. As in those cases, we're left to try to find the balance between very different, competing positions, and I think the case with this bill is no different.
Taking a look at three of the areas that have come up, I find it interesting....
Ms. Lawson, I'm going to come to you first and deal with section 20. You mentioned you had some concern with that section, I think around the confidentiality provision written into Bill .
:
So I would certainly say that this new provision, in this bill, has some teeth.
I want to go to proposed section 6 with you as well, if I may, because I found your comment about its being an elephant in the room interesting. You talked about the pretence that companies are obtaining consent.
As I read it, as I look at the new legislation as written and as you identified, it uses the phrase “an individual”. It says here that it is
valid if it is reasonable to expect that
—and this is the part that you had an issue with, but that I actually love—
an individual to whom the organization’s activities are directed
—so basically any individual—
would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
So it is for everybody. It doesn't just single out kids or any other particular group of the vulnerable; it actually applies to everybody. That consent is only valid if it is reasonable to expect that an individual to whom you're targeting your activities would understand the nature, purpose, and consequences of the collection.
You talked about the elephant in the room. I agree with you. I often think that clicking a mouse to try to get through to something else that you want to use on the Internet is just too easy. I think this clarifies that people need to understand the nature, purpose, and consequences. Don't you agree?
:
I'll close by responding to what Mr. Lake noted regarding what happens when witnesses talk about getting it right. I will just provide two things, first to note that the government has painted this legislation as being pro-consumer—obviously part of the digital economy strategy—which makes it clear what the intent of the legislation is. I think it is difficult to say that you're getting that balance right, particularly when the legislation is framed as trying to protect consumers and being pro-consumer, when you have those same pro-consumer groups and even the Privacy Commissioner pointing to problems, such as the voluntary disclosure provision. To me that means that balance isn't getting struck appropriately.
Even more, my reference to getting it right really wasn't in terms of the substance, but rather to say that we should not be cautious about amending the legislation where there is a belief that it can be improved. The question was raised—and my apologies if I got more passionate than I might usually get on this issue, but this is an issue that we have spent many years focusing on—that if we are all in agreement that privacy is important, surely we can give this bill, including potential amendments, the same kind of priority we're providing Bill with, which is also clearly on a bit of a rocket docket, with perhaps not even the Privacy Commissioner getting to testify on it.
There is an opportunity to do so, if we're going to think about how privacy and security often go hand in hand. If we're prioritizing Bill C-51, we can similarly prioritize Bill and find a way to get this bill, with some amendments as necessary, done and passed through the Senate and back into the House so that when an election comes, Canadians can look at a piece of legislation and say that it really does reflect the kinds of concerns they have with respect to privacy.