Proceedings of the Standing Senate Committee on
Transport and Communications
Issue 7 - Evidence, June 3, 2014
OTTAWA, Tuesday, June 3, 2014
The Standing Senate Committee on Transport and Communications, to which was referred Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act, met this day at 9:30 a.m. to give consideration to the bill; and in camera for the consideration of a draft report on the subject matter of those elements contained in Divisions 15, 16 and 28 of Part 6 of Bill C-31, An Act to implement certain provisions of the budget tabled in Parliament on February 11, 2014 and other measures.
Senator Dennis Dawson (Chair) in the chair.
[English]
The Chair: Honourable senators, today we will continue our review of Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act. It is also known by its short title, the digital privacy act. Bill S-4 amends the federal private sector privacy law in several ways.
Mr. Lawford, I believe you are going first.
John Lawford, General Counsel and Executive Director, Public Interest Advocacy Centre: Mr. Chair, honourable senators, my name is John Lawford. I am the executive director and general counsel of the Public Interest Advocacy Centre. With me is Geoffrey White, counsel to PIAC.
PIAC is a charitable and non-profit federally incorporated organization, founded in 1976, that provides legal and research services on behalf of consumer interests, in particular, vulnerable consumer interests concerning the provision of important public services.
PIAC is pleased to comment on Bill S-4, the digital privacy act, which proposes amendments to the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act, which I will refer to as PIPEDA.
Privacy is, you will appreciate, an increasingly hot-button issue, and for good reason, given the almost daily revelations about the practices of both businesses and governments when it comes to trading in the information of Canadians. Privacy is also the second pillar in the Government of Canada's Digital Canada 150 strategy, in which the government promises that "Canadians will be protected from online threats and misuse of digital technology."
PIAC has been advocating for consumer privacy protection since before PIPEDA. That is why we are disappointed with this bill. It is a poor rewrite of Bill C-12, which similarly failed to make amendments that would protect consumer privacy. Rather than result in better privacy protections, the amendments in this bill will actually weaken consumer privacy. We present to you today three major problems for your consideration.
The first major problem with the bill is the data breach amendment, which tries to create a reporting regime for companies to notify individuals when their data is lost, stolen or otherwise compromised but which needs to be fixed. This bill requires companies to report data breaches directly to consumers and to the Office of the Privacy Commissioner of Canada at the same time, but only where a high threshold is met. If the threshold has not been met, there is no reporting to anyone — not to the OPC, not to consumers. All that a company must do when it is of the view that there is a real risk of significant harm, which is the test in the bill when it is not met, is to write a breach record and keep it secretly to itself. Companies wish to avoid data breach reporting due to the possible reputational damage and to the fact that most breaches cost companies $200 per record to report.
True, companies must keep this record of all breaches to be available for inspection by the OPC, or the Office of the Privacy Commissioner, but why would OPC target any particular company for such a check? The OPC hardly has the manpower to deal with the regular complaints it has and simply will never be able to, for example, systematically pull breach records for an entire industry over a three-year period or even a one-year period. The breach records will remain, like The Scarlet Letter, a little corporate secret. Unfortunately for data breach victims, they will wear the loss of that data, while the OPC will be unaware of the breach and unable to audit or investigate.
Also true, it will be an offence to knowingly contravene the data breach requirements or record-keeping requirement, yet a company need only have an internal assessment process that claims to have deemed each breach too inconsequential to report, in which case the company will have a legal due diligence defence.
Another risk is that the company may deny it has had any breaches, that is, not record them. The only possibility to obtain a conviction, so to speak, for such a deliberate avoidance will be at the hands of a whistle-blower. This is very unlikely.
All the incentives, therefore, for the data breach provision point away from actually reporting breaches to the consumer. Legislation should create incentives for companies to align their operations with legal requirements. This bill does not do that. We anticipate that such a reporting regime, as written, will understate the extent of serious data breaches.
We have given you a proposed amendment, which I believe the clerk has distributed. Our proposed amendment would be to remove the discretion on the part of the company and thus require reporting of all breaches to the Privacy Commissioner.
Geoffrey White, Counsel, Public Interest Advocacy Centre: The second major problem with the bill is the amendment, proposed new PIPEDA section 7(3)(d.1), giving companies the ability to voluntarily disclose to another company personal information about the first company's subscriber without permission, without even telling the customer that such a disclosure has been made and without any due process.
You have likely heard of the legal furor that such a voluntary exemption for private sector disclosure to government bodies has created in the courts. That controversial exemption is now before the Supreme Court of Canada and is the subject of another challenge by the Canadian Civil Liberties Association saying it is unconstitutional.
Yet the new exemption proposed in this bill is in some ways more sinister. The private sector exemption quite simply allows private sector spying on consumers without any due process whatsoever. The new exemption avoids any judicial determination, yet the civil court system has rules of evidence and procedure that protect consumers' privacy. For example, we already have in Canada a balanced private disclosure regime for alleged copyright violation that has been developed in several Federal Court of Canada decisions. This exemption should be removed from the bill.
Mr. Lawford: The third major problem is about the proposed amendment to the consent provision in PIPEDA, which is new section 6.1. This provision is redundant. It states the present legal test for consent under PIPEDA — that is, informed consent — which the Federal Court of Appeal made clear in a case called Englander v. TELUS. Redundant provisions create confusion in those who must comply, and this "extra consent level" will risk a lowering of the present consent standard elsewhere.
This provision is seeking to indirectly address an area very dear to PIAC's heart, given our past work, namely, children's privacy. This bill, however, does not create a new standard for children's consent, which is the real goal, likely due to the concern that the age of majority in each province is a matter of property and civil rights under civil law.
A previous house committee recommended that this issue be studied so that children's privacy, so vulnerable in an age of constant connectivity and social networking, could be directly addressed in PIPEDA. That's the better way forward on children's privacy, not a disorienting, redundant provision.
In conclusion, while the government has indicated that its proposed measures in Bill S-4 will protect Canadians' digital privacy, they will in at least three fundamental ways do exactly the opposite. Our solution to these major problems is to either modify or remove the provision in question until such time as Industry Canada can get them right. Industry Canada would be much more likely to do this if this chamber and the other place were to hold hearings, as required by PIPEDA but so far avoided, to holistically review PIPEDA.
Thank you very much for giving PIAC this opportunity to appear today.
The Chair: Thank you.
The chair, in the rush to start, forgot to introduce the witnesses. I would like to introduce, from the Public Interest Advocacy Centre, John Lawford, Executive Director; and Geoffrey White, Counsel. We will have a second group with the Canadian Bar Association, with David Fraser and Jean Nelson. We will do this for about an hour and then we will have a second panel at 10:30.
Jean Nelson, Honourary Executive Member, National Privacy and Access Law Section, Canadian Bar Association: Thank you very much, and good morning everyone. My name is Jean Nelson, as the chair introduced, and I am a member of the executive of the privacy section of the Canadian Bar. I am also a member of the advocacy committee of the Canadian Corporate Counsel Association. My colleague, David Fraser, is also a member of the CBA privacy executive and is also chair of the CBA privacy section of Nova Scotia. Thank you very much for the opportunity.
The CBA has been very engaged in the PIPEDA process. The CBA is an association of over 37,000 members across the country. Our mandate includes upholding the rule of law and seeking improvements in the administration of justice. We speak to you today from that perspective. We wish to express our support for the objectives of the digital privacy act, Bill S-4, but we also recommend improvements to the PIPEDA amendments. Our brief is before you. It's extensive, so we are not going to walk through all of it. We're going to highlight two areas for you this morning, and I will tag team with Mr. Fraser.
I will speak first to the disclosure without consent, which you heard already from our colleagues from PIAC, and Mr. Fraser will speak to the breach notification provisions.
Without further ado, I will begin on the disclosure without consent. We would be pleased, of course, to answer any questions about the entirety of the brief before you.
In a nutshell, regarding disclosure without consent, we believe that this provision should be subject to further analysis in order to consider narrowing its scope. We are concerned that, as drafted, the proposed PIPEDA amendment, section 7(3)(d.1) and (d.2), is unnecessarily broad and would permit disclosure without consent in an inappropriately broad range of circumstances.
This section appears to be connected to the removal of the concept of "investigative bodies." Under the investigative bodies scheme, the Governor-in-Council could approve by regulation specific bodies or categories of bodies to which organizations could disclose personal information. The proposed new sections are consistent with the position expressed on this issue in earlier CBA submissions from 2005, in which we had urged the government to consider alternative models to the investigative body such as those found in Alberta and British Columbia.
However, we believe that Bill S-4 does not hit the mark and, as we phrase it in our brief, requires finesse. The CBA would be pleased, as set out in our brief, to work with government and other stakeholders to achieve this right finesse. We understand the need for proposed section 7(3)(d.2) as major industries such as banking, financial services, insurance and other public and private sector organizations share information to detect, suppress and investigate fraud. However, we are of the view that this provision should be more closely tailored to its actual purpose to prevent abuse of its broad wording.
That concludes my remarks on disclosure without consent. With your permission, I will now ask Mr. Fraser to amplify CBA's perspective on the breach notification provisions.
David Fraser, Branch Section Chair, National Privacy and Access Law Section, Canadian Bar Association: I am pleased to speak with you about the breach notification provisions in Bill S-4, the digital privacy act. As you know, clause 10 of Bill S-4 sets out the same test for notification of a breach to the individual and reporting of breaches to the Privacy Commissioner. In Bill S-4, every breach that is notifiable to the individual is also reportable to the commissioner. This is unnecessary and, in our view, should not be required. The two forms of notice have different purposes, and therefore there should be a distinction between them.
The purpose of reporting to the commissioner is to track the volume and nature of breaches by any particular organization. The purpose of reporting to the individual is so the individual could possibly mitigate any harm that might result from the breach. These are different. While the threshold for notifying individuals should be based on the existence of high risk of harm to an individual, reporting to the OPC should be premised on the existence of a major or material breach.
We also recommend that in addition to factoring in the sensitivity of the personal information as required in the proposed section of PIPEDA, 10.1(8), the second factor should be the probability of access rather than the probability of misuse.
In many cases, an organization subject to a breach of security safeguards can reasonably determine the probability of access to the information by assessing the extent to which the information was encrypted, redacted or otherwise altered. Determining the likelihood of misuse is a much more challenging possibility and requires too much guesswork on the part of the organization. In a breach situation, little is often known about who is responsible for the breach and their intentions. It would be more reasonable and more practical for probability of misuse to be one of the factors with probability of access as an independent, stand-alone consideration.
We also suggest some alterations to the definition of "significant harm." As you know, Bill S-4, in clause 10, sets out a definition of "significant harm" which includes a non-exhaustive list of examples. We question whether the definition should be included. While some listed examples unquestionably constitute significant harm, such as bodily harm or loss of employment, others would not necessarily constitute significant harm, depending on the severity of the circumstances, such as damage to relationships or damage to property. In some cases, they are too speculative. While the examples are all forms of harm, whether they are significant is going to depend upon the exact circumstances of the breach and the nature of the information. Rather than deeming all listed harms to be significant on their own, it would be preferred to have OPC guidelines or established understanding of the circumstances.
We also have concerns about the provisions in the bill related to the notification of third parties. As currently drafted, Bill S-4 would make it mandatory for an organization that has suffered a breach to notify certain third parties. We see the rationale but have concluded that it should be discretionary. A mandatory requirement to notify third parties rather than a permissive one raises a number of issues.
Does the organization or government institution so notified have to take steps to mitigate the harm that could result from the breach? There is no obligation in the bill for them to do that. If they do take steps and those cost, who pays for it? Finally, what if an organization fails to identify each and every third-party organization or government institution that may be in a position to reduce or mitigate the harm? I have been practising in this area for more than a dozen years and I am not sure I could list all the organizations that could take a roll in mitigating such harm. The CBA group therefore recommends that this should be changed from "mandatory" to "discretionary" and "may" instead of "shall," allowing for an assessment of the situation on a case-by-case basis. In no case should a failure to notify be an offence.
With respect to record keeping for breaches, we are of the view that the mandatory record keeping for all breaches, regardless of significance, is unworkable and places too great a burden on organizations. As currently drafted, every single breach, regardless of how trivial, must be logged in the prescribed manner, and it is an offence to do so improperly or imperfectly. We should be focusing on those that might have an impact on consumers. Businesses have no way of logging these things now, and setting up systems without any real benefit is a misplaced effort. Again, in no event should a deficiency in logging be an offence.
Finally, I would be remiss if I did not bring to your attention our concerns about privacy more generally, particularly as it pertains to bills before Parliament. Both Bill S-4 and Bill C-13, the protecting Canadians from online crime act, address privacy rights in the digital age. Both are connected and should be considered together. Bill C-13 addresses the ability of law enforcement to obtain personal information from organizations, and Bill S-4 deals with the ability of organizations to disclose personal information. It takes two to tango and the two fit together.
The CBA recently provided its comments on Bill C-13 before the parliamentary committee and recommend that one oversight body be created to monitor the cumulative impact of various laws and state actions upon individual privacy. We reiterate that here. With the proliferation of legislation governing the disclosure of personal information, such a body is essential to ensure a consistent and reasoned approach and to bolster public confidence in a regime established to protect the right to individual privacy.
We would both be very pleased to answer any of your questions on the any of the matters we have raised in our opening comments or in our brief.
The Chair: Thank you very much for your presentations.
Senator Mercer: Thank you all for being here this morning as we get into the details of Bill S-4. It strikes me that the three issues that both groups have brought up are at the heart of the debate.
Regarding the notification of a breach to the individual and to the Privacy Commissioner, it only seems logical to me that the Privacy Commissioner — and the nominee will appear before the Senate this afternoon for some grueling — will know about all breaches so that he or she can judge what's going on in the Canadian sector. Is that what both groups are saying this morning?
Mr. Lawford: I will start and pass it to David. I think we have a slight difference in how many should be reported to the Privacy Commissioner. From PIAC's point of view, any breach should be reported to the Privacy Commissioner, the idea being that the Privacy Commissioner then knows. Under our proposed amendment striking out the linking of notifying actual individuals, the company would still be required to report to consumers significant breaches that might harm them, but the Privacy Commissioner would know what's going on. If the Privacy Commissioner were notified of, say, 100 breaches from one company in a year and only one of those was reported to consumers, they might want to audit that company. That's the way our amendment works, but I believe Mr. Fraser might have a different take on this. Generally, I agree with you.
Mr. Fraser: We take a slightly different approach to it. We wouldn't be advocating for the notification of all breaches because some breaches, while they might be technical breaches, would not result in any harm to an individual or aren't necessarily indicative of a systemic problem. There is a concern that if all breaches are sent to the commissioner, the commissioner will be inundated with these.
We have an example in our brief where if I overhear somebody speaking to a pharmacist when I go to pick up a prescription, that's technically a breach of security safeguards. Would that need to be logged, and does that need to be notified? That's a relatively trivial breach with no possibility of harm to the individual. There does need to be a threshold. That is what we would advocate.
Senator Mercer: I agree that accidental breaches will occur. Your example is good one that we have all experienced as we've gone about our business.
However, it seems to me that if the Privacy Commissioner is going to measure trends and look at what potential problems there are, he or she needs to know what all the breaches are. If all the breaches are happening in a particular industry and there may be only one here and one there, it may point to a systemic problem that's not obvious. If you're only looking at one breach it doesn't look like a big deal. If you're looking at a thousand breaches in a thousand different locations, you may have a problem. It seems logical to me that we go the root of the breach.
The Chair: Senator Plett has a supplementary on that.
Senator Plett: Thank you. My question really was exactly what Senator Mercer asked about trivial breaches. You're talking about trivial breaches, and my question to you is this: Does the Canadian Bar Association decide what trivial breaches are, or who makes that decision? What you might consider trivial I might consider fairly serious. As Senator Mercer suggests, one trivial breach might be one thing, but 500 trivial breaches makes it more than trivial. How do you square that box and who decides what's trivial? We may have an entirely different opinion of what's trivial.
Mr. Fraser: We would advocate for the development of a standard, something that would be clearly understandable and could be articulated to organizations to understand the reporting threshold.
Senator Black: That's what the government has done. They've decided what the standard is, and the standard is report all breaches.
Mr. Fraser: In Bill S-4 all breaches that result in a material risk of significant harm have to be reported to the commissioner, so only those that reach that threshold. The bill includes that all breaches, regardless of severity, need to be logged but do not need to be disclosed. That's the current scheme that's in the bill. We, like PIAC, would advocate that both have different purposes and it's a matter of determining the circumstances that would give rise to an obligation for reporting to the commissioner.
Mr. Lawford: The comment I made in our remarks about scarlet letter is if the company keeps this record of breaches to itself, there is no utility in that because the Privacy Commissioner can't possibly handle going and asking everybody for those records. If it comes to the Privacy Commissioner, they'll have records and numbers they can then analyze. It's better to err on the side of over-reporting for consumers, and that's the direction we're coming from.
Senator Mercer: I'm not sure I understand the purpose of disclosure of information to another company or why the Public Interest Advocacy Centre is concerned about it. I don't understand why it would happen, but also I want to know why you are as concerned as you are.
Mr. Lawford: The ways that a private company can get personal information that is otherwise confidential from another company are usually handled by the court system. If you have a beef with a consumer, say they're downloading your movies and you want to know who that consumer is, you have to go to the court and say, "We think it's this person and we need a little more information from the company," and there's a disclosure process in civil procedure in each of the court systems.
What this bill does is let them just send a letter or make a phone call and ask the other company for the information to just give it, please. The trouble is that if those two companies have any business dealings together they may well favour passing the information to each other quite freely, and not saying no because they can say no, but this exemption will let them just hand it over. In effect, the consumer is now not getting any of the protections you would have in a court system where the information has to be relevant; it has to do with the litigation. In other words, this can be in pursuance, like an investigation of something going on. What's to stop a company from just doing a blanket request regarding every consumer that's used this product for the last two months? "I want to see what they've been doing or for the next two months watch what they're doing." That's phishing. It's completely unprecedented.
Senator Mercer: I agree. We have to be careful about the transfer of information from one company to another. We give companies our information for particular reasons, and we do not anticipate that company A will share the information with company B, unless we do it through common usage things such as a rewards card where you use it in multiple locations. When you do those things you have to anticipate that the information is going to be shared with everybody who subscribes to those things.
Senator Furey: I want to ask a couple of questions of Mr. Lawford and Mr. White.
When you talked about consent, you touched on the fact that there is a whole regime of legislative majority ages in provinces that I don't think this legislation would really overreach; nevertheless, it's there. There is no age limit, so we could be talking about children of tender years. What is it they're getting at? What do the telecoms want here? What sort of protection is there? Is it just because some kid picks up an iPad and presses yes that they want immunity from disclosing any information or using that information?
Mr. Lawford: At the present time the law is such that they can collect information on, as you say, even children of tender years. There is no age limit. There is a reasonableness limit in the act, so certainly when I speak to lawyers they say it's not reasonable to collect information on children under the age of 13, but there's no law in Canada that says you can't make the argument that it is reasonable, especially with children using Facebook at age 8.
This bill is trying to close that loophole and it's saying, "If you get consent, golly gee, it's got to be really good consent," and the kid has to know the exact consequences, I believe with the assumption that there's no way they can understand the consequences of giving all their information on Facebook at age 8. The exception is the concept of consent is already informed consent in PIPEDA, and so you're saying, "We really, really mean it." Our concern is that maybe the rest of the act will be infected and companies will say, "Well, this isn't a situation like with a child where we didn't have to really, really mean it." Consent can be lowered generally across the board in other situations. It's just confusing. If they want to have levels of consent for children, then, as the other committee mentioned, study it, find a way to work with the provinces and come up with some age-level consent presumptions. That would be our recommendation.
Senator Furey: You've talked about your proposed amendment. If the police want to go to a telecom or a bank, they now need a warrant to get information, but under section 7(3) of PIPEDA and now with this proposed amendment under Bill S-4, that information can be given voluntarily and there is no limit on it and it can be given with legislative immunity and probably even with impunity. How does your proposed amendment put this in check? I don't see that. I think your amendment is good, but I'd like to see something touching on this immunity as well.
Mr. Lawford: On that one, Senator Furey, our amendment deals only with the data breach; it's to make all breaches reportable. Our solution for this particular bill is to strike the exemption for private company access.
If I were appearing on Bill C-13, I would say no immunity for passing out the information, but I'm not called on that right now.
Senator Furey: As well, this goes a long way towards at least having some sort of oversight or check and balance, but shouldn't there be a time period involved as well where individuals are informed? Shouldn't there be disclosure at some point?
Mr. Lawford: In the past, when we've been asked about this even after the fact, our position has been if there has been access you should notify the consumer, I believe usually in 60 or 30 days.
Senator Housakos: Obviously we're entering uncharted territory when it comes to privacy issues, and technology is fluid, with the Web becoming more and more prevalent and powerful. The only immediate good news that's going to come out of what's going on from a technological perspective when it comes to data breach and information is that lawyers are going to be very busy with this issue over the next few years and probably decades.
Clearly, right now we're trying to determine as a society what is a significant data breach, and we're trying to determine what that threshold is. What might be a significant data breach for me might not be that significant for my colleague here. It's going to be difficult, I think, in the short term to quantify what that is.
I was wondering if anybody on our panel would like to share with us concrete examples, because we are talking in theory so far about data breaches. What concrete examples are we talking about that would be unacceptable information to flow out from various companies, be it a telecom corporation or the Canadian Bar Association? This bill applies to an association like the bar. You garner information on your members. What would you consider to be a concrete example of a significant data breach?
My next question is to Mr. Lawford specifically. In your testimony, you pointed out that with this particular bill, companies are not forced to disclose a data breach, depending on whether it was a significant data breach or not, and that's really the crux of your argument. But again, what does "significant" mean, and what is insignificant, and do you really believe there are examples of companies that have it in their interest to not disclose data breaches to their clients? Because at the end of the day, all these private sector companies, their bread and butter is providing a service to their core client base; and if they are not protecting the interest of their base and their clients, they will pay the price for it.
Mr. Lawford: With your permission, David, I will answer the second question and then pass it to you.
The concern with significant data breach, when it's left in the company's discretion, is always that they will do their best to decide whether it's significant or not, but they are not experts in this stuff. They may be experts in their own customers, but they are not experts in what happens to data when it gets out to thieves or it gets otherwise misused. We believe the Privacy Commissioner is, and our proposed amendment is to make sure the Privacy Commissioner just knows about all the breaches. Then, as we say, we leave the obligation on the company to go through that process and decide: Is this really going to harm our customers? If they do, they should report. Like I said, if they have had 100 breaches in a year and they've only reported one, maybe the Privacy Commissioner should pick up the phone and say, "What is going on here? Because we think that maybe you're not quite getting it."
The other thing is that there is a difference in, I believe, incentives. Companies really do have to weigh the cost of reporting the breach, which, from U.S. numbers, per record, is $200. That's a money thing that they have to churn through their minds about whether to report. We note that in Alberta, for example, where there is a different threshold for reporting, most things go to the Privacy Commissioner, who then orders the companies to report, whether they like to or not, when the Privacy Commissioner feels it's serious. In 2012, they made 94 breach notification recommendations. The voluntary guidelines at the federal level for the same year were only 33 for the whole country, so I think there are times when a privacy expert like the Privacy Commissioner might come to a different opinion than the company. It's not to say the company is wrong, but they might err a little more on the consumer side. That's what we're saying.
Mr. Fraser: In our recommendation, we are calling for a determination of whether a breach is material, and so it does come down to, certainly, as you raised, questions about what is material and what is not, and obviously privacy is one of those things that's in the eye of the beholder. I think there is a strong consensus on the sorts of information that would be considered in PIPEDA to be sensitive personal information, the breach of which could have significant consequences to the individual — for example, medical information, the sorts of information that could be used for foundational documents related to identity theft. I think there is a strong consensus within the privacy community that those certainly would meet that threshold.
Other sorts of breaches could be completely immaterial, and so that's the reason we've articulated a threshold of materiality. So, for example, the way that a breach of security safeguards is defined in the legislation includes any breach of security safeguards that the organization puts in place, even above and beyond. So where an organization adopts a clean desk policy, requiring that all documents be taken off the desk when they are not being worked on, if somebody leaves a document on the desk and goes away to get a cup of coffee, that technical breach, even if nobody saw it, would constitute a breach of security safeguards in the legislation that really doesn't have any possibility of affecting anybody. That document was not even viewed, but leaving it on the desk constitutes a breach of security safeguards.
It's a matter of developing and articulating a clearly understandable threshold for what is materiality that would then go to reporting to the Privacy Commissioner. I think we share the overall objectives with the drafters of the bill, and also with PIAC, in terms of determining what is the appropriate threshold, that there does need to be reporting to the Privacy Commissioner in order to notice trends, problems, issues within an organization where even they might be having small breaches — not trivial breaches, but small breaches — the cumulative effect of which demonstrates systemic problems within the organization, so that the commissioner can then take action in order to audit the organization or do whatever is necessary in the interests of the public.
Senator Housakos: A piece of legislation has to have applicability and has to be reasonable. I would like to have you people comment on my perspective, that we have to have a degree of confidence in our private companies in this country in order to provide the services to the best of their ability while protecting the interests of Canadians. Again, I reiterate that if they don't respect the privacy and their clientele at the utmost, they are going to pay a significant price in the marketplace. Government does not have the capacity to go into any entity and police it to the degree where — an example, as you just pointed out — somebody has classified information on his desk, goes for a cup of coffee and comes back, and we consider that a significant breach. Yes, there is a potential for it to be a significant breach, but where does Big Brother put an end to policing every single activity that Canadians engage in on a daily basis in this country?
Mr. Fraser: Certainly we would share your concern. If the document is left on a desk and a visitor sees it, that might cross the threshold and become something material, but if it's never seen by a third party, it wouldn't be. So it's a matter of making sure that people understand and that organizations understand what the threshold is, that it's meaningful, so that the commissioner's office isn't bombarded and overwhelmed with things that are completely immaterial, that don't demonstrate systemic problems or otherwise.
Mr. Lawford: I have one small comment. With a system of having all breaches reported to the Privacy Commissioner, it does not necessarily then follow that the company would report, because the company still, with our amendment, would have a notification obligation only when it was going to cause the harm. So I guess it's really just a difference of opinion as to how much you want the Privacy Commissioner to know. I take the point that they may feel overwhelmed, but I don't believe that they will get a report of the document on the desk. But perhaps if they got a lot of reports of documents on desks, they would issue a guideline saying, "This is not a big deal" or "This is a big deal, and we would like you, for documents on the desk, to think about these factors," and it could be quite a soft law approach.
Ms. Nelson: Senator Housakos asked for particular examples. In my non-CBA world, I am a chief privacy officer of an organization. We look at near misses too, just as in the medical or aviation world, and that could be a teachable moment as well. I tell people I work with, "I want you to report to me everything, so that then we can assess together." We look at it as a teachable moment. That's how we have done it at my organization.
Senator Furey: I agree with Senator Housakos when he talks about the need for protection for companies in this new world that we live in, but I still go back to this concern. I haven't had a chance to analyze your proposed amendments, Ms. Nelson, but I still go back to this idea that it bothers me that organizations are permitted to share information voluntarily and with legislative immunity. Do you see this as an issue or am I missing something here?
Ms. Nelson: Thank you very much, Senator Furey. Yes, the CBA does see that as an issue, and we see that that section is overly broad. It is permissive, as you have pointed out, and as our colleagues have. We are concerned that it doesn't limit the types of organizations and the types of information. We see that that definitely needs to be re-examined. We use the word "finesse." Maybe it's more finessing than not, actually. So the need was there to replace what was seen as the investigative bodies' earlier provision. That was seen sometimes as cumbersome; and the Alberta and British Columbia acts have a similar scheme, but we don't see that the current wording of PIPEDA hits the mark, as we said, and there needs to be retooling of that.
Senator Furey: Yes, whereas the amendment now in Bill S-4, in 7.2 I believe, broadens that immunity.
Ms. Nelson: That's a good point. We give the example in our written brief that it could range from criminal to a copyright. It's a broad spectrum of potential contraventions of the law. We have that concern as well.
Senator Housakos: My last question, I guess to the bar and to Mr. Lawford, is that S-4 right now puts into place some very high financial penalties to companies that deliberately cover up data breaches. Don't you think that, in itself, would be encouraging enough for companies not to deliberately cover up again or not be forthcoming with information whenever there is a data breach and risk the possibility of hundreds of thousands of dollars of fines?
Mr. Lawford: We appreciate that the penalties are commensurate with the risk, but in particular with the notification to individuals, as I stated in our remarks, we believe that it is very simple to avoid those penalties because you just have a set of policies about how you judge data breaches, and, because of the recording of the penalties provision, it has to be a deliberate effort to not report to individuals. As long as a company is following an internal policy, I think it's impossible to find them under this test.
As for the hiding of the reporting, I take your point. The company may say why we wouldn't write everything in our little book. We don't want to have $100,000 per record. That might happen, but our fundamental trouble with keeping a record in the backroom somewhere is that the Privacy Commissioner will never see it, so it's not doing its job of getting notifications to consumers or bringing, as we were saying before, a pattern of breaches to light. But I take your point.
Senator Plett: Most of my questions were related to significant or trivial breaches. I think that's been beaten up pretty good, so I won't ask any further questions there, but I do have one general question for the entire panel. You have mentioned Alberta and British Columbia here a few times and I think Quebec. All three provinces have their own digital privacy acts. I know and appreciate that there are certain things that obviously need to be federal because it's federal jurisdiction. Aside from that, on something where there would be overlap, if you will, is S-4 more comprehensive? Is it harder or would the provincial ones be stricter? If you could make a general comment on that, I would appreciate it.
Mr. Lawford: Alberta has a stricter reporting regime for breach notification. It requires material breaches to be reported to the Privacy Commissioner and then the Privacy Commissioner has the power to order the company to report it further, to consumers. We view Alberta, for example, as being stricter than the federal regime, even after S-4.
Senator Plett: How about Quebec and B.C.?
Mr. Lawford: B.C. I'm less familiar with; Quebec I also haven't dug into as much. The B.C. one has a number of breach notifications, so they might have a similar regime. I'm not familiar enough with Quebec to speak to it.
Senator Plett: The bar association?
Mr. Fraser: Currently, the province of Alberta is the only province that has mandatory breach notification and reporting for the private sector. Many of the health privacy laws across this country have breach notification requirements, but currently with respect to ordinary businesses Alberta is the only province that has mandatory notification. We have found that because of that, with large organizations that operate across Canada, they comply with Alberta's requirements and do notification across the country.
Senator Plett: Thank you.
[Translation]
Senator Verner: Thank you for being here today. In your brief, you suggest restricting the communication of personal information between two private companies to those companies with a specialized internal group set up to prevent fraud and cut down on abuse. If that was the situation, apart from banks and insurance companies, what other kinds of companies are you referring to that could set up such a group?
Ms. Nelson: I understood your question in French, but I am going to reply in English.
Senator Verner: Yes, go ahead.
[English]
It would be looked at as the former investigative bodies, that is, those institutions that had registered. An example could be regulatory instances — colleges, bar associations and licensing bodies. Those bodies have continuing professional development; they also have a licensing and disciplining function. We were seeing it is too broad, so if you need to provide this kind of information in case of potential fraud or contravention, it should be directed not to the general inbox of that particular organization, but that's the entity within the organization that's looking at licensing as opposed to the broad spectrum of activities that those kind of bodies do.
You asked if it was just financial. There are other sorts of regulatory institutions that have taken on that role of being an investigative body.
Senator Furey: Just one brief question on your proposed amendment, Mr. Lawford. I like the idea that it's trying to bring some semblance of oversight to this whole process, but I'm still concerned that an individual's privacy could be breached and there is no mechanism for that individual to find out about it. Shouldn't this go further and require that the individual at least be notified during some period of time?
Mr. Lawford: It's a fine line, as I think Mr. Fraser mentioned, between reporting every breach every time to every consumer and whether there is overkill there, or whether it costs too much, or whether it's of any utility. We are trying to craft the first stage, where the Privacy Commissioner will know about all the breaches, whether they are going to be that kind of breach or not. In appropriate circumstances, ideally the Privacy Commissioner would be able to require them to then tell consumers. However, if you leave the obligation on the companies to report, that also would work. We do share your concern that at the end of the day, even after its changes, this particular bill will not lead to more breach notifications to individuals because the tests are too high, they are linked together and all the incentives are pointing away from actually reporting. So let's make it easier. It might take more work going back to Industry Canada to do it right, but that's probably the best plan.
Senator Furey: Okay; thank you.
Senator Mercer: I want to follow up on Senator Furey's question. Are you suggesting that the Privacy Commissioner — again, the nominee whom we will be meeting later this day — makes the determination about individual notification and judges which breach is serious enough to warrant advising a citizen that there has been a breach?
Mr. Lawford: There are two ways you can do this. You can do it the way Alberta does. You can say most breaches are reported to the Privacy Commissioner and then the Privacy Commissioner, as you are saying, has the power to order the company to report. We like that model.
The other way to do it is just to take our amendment and have the Privacy Commissioner of Canada know about every breach, but still leave the actual reporting decision to the company. The company then has to take a risk knowing that the Privacy Commissioner knows. If the Privacy Commissioner knows, will they make a different decision? There are two ways to do it.
Senator Furey: I want to add one quick after note.
When I am talking about notification, I understand the trivial side of it, but in section 10 now there is a more serious side where there is no mechanism for an individual ever to be told about the disclosure. That's more what I was getting at, the more serious ones.
Mr. Lawford: Told about the disclosure or about the breach?
Senator Furey: Well, if an institution shares with an organization, there's no mechanism for the individual whose privacy has been breached to ever find out about it.
Mr. Lawford: I think that's correct. At the moment, there's nothing. There's no way to find out.
Senator Furey: That's more what I was trying to get at.
Mr. Lawford: I apologize. If you're talking about 7(3)(d.1), there is no mechanism that I am aware of.
Mr. Fraser: I don't think the CBA has addressed that particular question in its brief or in previous submissions.
Speaking as an individual, not on behalf of the CBA, I would strongly advocate for a mandatory notification to the individual of any disclosure of their information without their consent after the fact. If it's in connection with a fraud investigation, you obviously don't want to notify the individual in a way that could thwart the investigation, if it's a reasonable investigation. But after the fact, and particularly if section 7(3)(d.1) were to pass as is, there should be a notification with respect to that after the fact.
Senator Furey: Thank you.
The Chair: Mr. White, did you want to add something?
Mr. White: I would just say I don't think that amendment should pass, and I don't think a notification provision sufficiently protects consumers from the vagaries of this provision that allows the sharing of data between big companies.
Senator Furey: If we were to look at it from the other side, an organization like the police, for example, would need not just a warrant but a very specific warrant to get that information. Now it can just flow voluntarily from the other side with immunity and no disclosure.
Mr. White: And if you read the proposed amendment as well, there are no guidelines whatsoever in terms of what governs or constrains the disclosure of information between organizations. It's a huge problem, and it doesn't address any problem that really needs fixing. That's why we are concerned with it.
The Chair: Ms. Nelson for the last word.
Ms. Nelson: Just to pick up on Mr. Fraser's point, the CBA in its written brief did identify the lack of notification as an example of its being too broad, so it was there in writing. David as an individual but also the CBA as an organization is concerned about that.
Senator Furey: Thank you.
The Chair: I would like to thank this first panel on Bill S-4. From the Public Interest Advocacy Centre, Mr. Lawford, Mr. White, thank you for your presentation. From the Canadian Bar Association, Ms. Nelson, Mr. Fraser, thank you for your presentation.
I want to remind members that we will be adopting in camera at the end of the meeting the report on Bill C-3, An Act to implement the budget.
I would like to welcome from the Credit Union Central of Canada, Marc-André Pigeon, Director, Financial Sector Policy; and Jan Hopper, Assistant Corporate Secretary/Chief Privacy Officer. From the Canadian Bankers Association, Ms. Lucie V. Gauvin, Vice President and Associate General Counsel, RBC Law Group, Royal Bank of Canada; Linda Routledge, Director, Consumer Affairs; and Nathalie Clark, General Counsel and Corporate Secretary.
Nathalie Clark, General Counsel and Corporate Secretary, Canadian Bankers Association: Thank you, Mr. Chair, and good morning. My name is Nathalie Clark, and I am General Counsel and Corporate Secretary with the Canadian Bankers Association. I am joined today by Linda Routledge, our Director of Consumer Affairs with the CBA, and by Lucie Gauvin, Vice President and Associate General Counsel with RBC Financial Group. We are very pleased to be here today, at the committee's invitation, to discuss Bill S-4, the digital privacy act, which would amend the Personal Information Protection and Electronic Documents Act.
The CBA works on behalf of 60 domestic banks, foreign bank subsidiaries and foreign bank branches operating in Canada and their 280,000 employees. Privacy and protection of personal information is of high priority for the banking industry. Given the nature of the services that banks provide to millions of customers in communities across this country, banks are trusted custodians of significant amounts of personal information.
Privacy and protection of clients' information is a cornerstone of banking. Banks take very seriously their responsibility to protect customers' information and are committed to meeting not only the requirements of privacy laws but also the expectation of our customers. To quote Interim Privacy Commissioner Bernier, "Privacy is in the banks' DNA."
The banking industry was an early participant in the initiatives that led to the enactment of PIPEDA and was amongst the first sectors subject to PIPEDA. As part of the 2006 review of the act, we provided the government with our suggestions of how PIPEDA might be amended to address a number of issues that emerged during its initial implementation. We are pleased that the bill contains proposed amendments to PIPEDA that will address many of our concerns.
We share the government's concern, expressed in Budget 2014, about seniors and others who may be vulnerable to financial abuse. We were pleased to see that Bill S-4 includes amendments that would give banks and other organizations greater ability to assist their clients to avoid financial abuse.
The bill's amendments will allow banks to inform other family members not involved in the suspected abuse, law enforcement and other appropriate authorities when there are indications that a client is, has been or may be a victim of financial abuse. In such cases, banks are currently limited by PIPEDA to disclose client information only with consent or when a law has been contravened. However, many of the cases of suspected financial abuse that banks may see do not contravene the law.
We applaud the government for proposing amendments that will enable banks to alert someone close to our clients so they can take action to help an elderly client with diminished capacity, or other vulnerable clients, to avoid or mitigate the suspected financial abuse.
Another important area where banks need to take action to protect clients is related to financial crime, fighting fraud, money laundering and other criminal activity against bank customers and banks themselves. Currently banks are able to collect, use and disclose information to fight financial crime through the CBA's Bank Crime Prevention and Investigation Office, or BCPIO, a designated investigative body under PIPEDA.
We support the government's proposal to eliminate designated investigative bodies and to adopt instead the approach used in Alberta and British Columbia where organizations are given the ability to collect, use and disclose information to other organizations for the purposes of investigating a breach or an agreement or contraventions of the law and detecting, suppressing and preventing fraud — the very purpose for which BCPIO was established. If the BCPIO is to continue its fight against criminal activities, however, it is critical that the bill's amendments to PIPEDA are augmented in two ways.
First, add criminal activity to the purposes related to detecting or suppressing fraud, since many of the crimes against banks and their customers are unlawful but are not fraud, for example, when thieves steal from banks, rob branches, steal data or personal information or when individuals threaten or assault bank staff.
Additionally, many criminals operate internationally. Banks need the ability to cooperate with organizations in other countries when the criminal activity crosses jurisdictions, so law of foreign jurisdiction should be added.
Financial crime negatively impacts both consumers and the economic integrity of the financial sector. Financial crime provides the funding for other criminal activities that prey on Canadians, such as money laundering, terrorist financing, trafficking of drugs, arms and human beings. It is critical to Canadian society that the government puts in place measures that reduce financial crime.
We therefore support the provisions enabling organizations to collect, use and disclose personal information for these purposes and strongly recommend consideration of our proposed amendments. We would be pleased to provide more specific suggestions for amendments to Bill S-4 related to these changes.
The bill introduces new provisions for PIPEDA requiring breach notification and reporting. We support the need to notify affected individuals and to report to the Privacy Commissioner about breaches that may represent a real risk of significant harm to individuals.
Banks already notify clients in the rare instances of a breach of their personal information, so that those individuals have an opportunity to protect themselves from fraud or any other misuse of their personal information.
The industry looks forward to working with the government to ensure that appropriate and workable regulations supporting breach notification are developed that will ensure that breaches are properly tracked and reported.
We welcome this opportunity to provide our comments on Bill S-4 and look forward to your questions.
[Translation]
Marc-André Pigeon, Director, Financial Sector Policy, Credit Union Central of Canada: Mr. Chair and honourable members of the committee, thank you for giving us the opportunity to provide you with comments on Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act, and to make a consequential amendment to another Act. My name is Marc-André Pigeon, and I am the director of public policy at the Credit Union Central of Canada.
[English]
With me today I have my colleague, Jan Hopper, Chief Privacy Officer, and she will be helping with some of the technical questions you may have.
Before addressing our views on this bill, I'd like to make a few preliminary remarks regarding the role of my organization and, more generally, the Canadian credit union system.
Credit Union Central of Canada, the organization I work for, is the national trade association for its owners, the provincial credit union centrals. Through them we provide services to about 320 affiliated credit unions across the country.
As you may know, credit unions represent an important part of the Canadian economy. There are currently about 1,700 credit union branches serving 5.3 million Canadians, holding $160 billion in assets and employing about 27,000 people. Credit unions come in all shapes and sizes. Our smallest credit union, for example, iNova Credit Union in Nova Scotia has less than $30 million in assets and as few as 10 employs. Our biggest credit unions, such as Vancity in British Columbia, have just under $20 billion in assets and employ thousands of people. There is a big disparity in size.
Regardless of size, credit unions believe they have an inherent responsibility to be open and accessible while at the same time demonstrating the greatest respect for protection of the personal privacy of their members. Our code for the protection of personal information, which was adopted by the majority of credit unions well in advance of the requirement, documents the system's long-accepted commitment to member privacy. For that reason we think Bill S-4 does a lot of things right.
We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse.
We do, however, think that this measure could be refined, making it possible to disclose suspected abuse to a member of the individual's family and just broaden it out a little more. Research has shown that often in the case of elder abuse the next of kin is in fact the abuser.
We also like Bill S-4 because it does a lot to reduce some of the regulatory burden that results from the current legislation. For example, we are supportive of the proposal that would do away with the need to obtain consent when personal information is used when organizations are contemplating mergers and acquisitions.
As you may know, the credit union system is actually undergoing a process of rapid consolidation and so this is, of course, a welcome amendment.
Similarly, we support the proposed forbearance with respect to consent when information is shared between financial institutions for the purposes of fraud prevention. This will allow credit unions to reduce the administrative burden associated with some of the operations of the credit union office for crime prevention and investigation.
That said, we do have some concerns about other provisions that may increase regulatory burden. Specifically, the legislation proposes requirements that would compel financial institutions to keep records of all data breaches. We think it makes more sense to align this record keeping requirement with the notification requirements. As you know, the reporting requirements say that breaches must be divulged when they pose a real risk of significant harm to individuals.
To impose record keeping requirements that exceed those of reporting and notification will require the burdensome deployment of a two-tiered incident identification process. This could prove especially costly and time-consuming for smaller credit unions like some of the ones I mentioned earlier.
Usefulness in reporting incidents that do not meet the reporting threshold is not readily apparent and may take limited resources away from important activities such as the prevention of breaches in the first place. For that reason, we also question the proposed potential penalty of $100,000 for non-compliance with this new record-keeping requirement.
To help put these concerns in context, I want to briefly highlight some of the results from a recent survey we conducted of our members on regulatory burden. We found that small credit unions — those with fewer than 23 employees — devoted fully 21 per cent of their staff time to dealing with regulatory matters, including PIPEDA, soon to be FATCA, the ML requirements and so on. Those credit unions with 100 employees or more, which are medium-sized organizations, devoted, on average, only 4 per cent of their staff time.
If you extrapolate this out to the banks, which of course are many times bigger than credit unions, it's reasonable to expect that any new regulation is that much less burdensome for them than it is for us. The problem this creates is it un-levels the playing field, if you want to think of it that way. It makes it a little challenging for us to compete, especially if there are smaller institutions who suffer that burden more heavily.
We are asking that in its review of Bill S-4, the committee and the government keep in mind this kind of regulatory compliance burden faced by credit unions and other, smaller financial institutions and consider amendments that would soften the blow for those institutions. We believe this request is consistent with the federal government's regulatory burden initiative.
[Translation]
In conclusion, we would like to thank the members of the committee for providing us with this opportunity to be part of your study on Bill S-4. We will be pleased to answer your questions.
The Chair: Mr. Pigeon, I have to say that your perspective is different from the one you had when you were sitting at this end of the table.
[English]
Mr. Pigeon used to be at this end of the table when he was on the Senate Banking Committee as a clerk and analyst, and he did the same thing with Finance. Now he's doing it from the other end of the table. Senator Mercer.
Senator Mercer: It is good to see you again. Welcome, and welcome to all of you.
I want to go back to one of the things Ms. Clark mentioned, as well as Mr. Pigeon, the reference to financial abuse of seniors. I would recommend you review the Special Senate Committee on Aging, ably chaired by our former colleague Senator Carstairs, where we spent a lot of time addressing just this issue. This is good news. I will give you a great example.
At our hearings at Welland, Ontario, someone from a financial institution — I can't recall which one — appeared before the committee and told us a story of not the manager of the local branch of the bank or credit union — I can't remember which it was — noticing anything but someone who was a clerk; they were a teller at the bank. They observed a change in pattern for one of their clients, brought that to the attention of the manager and the manager did a little investigation. Indeed, that person was being financially abused by a family member.
I think the system we have in place is working. You need to continue to train your employees to notice that kind of thing.
I did want to ask the question about notification of breaches. Sometimes these things get turned around. I have seen a couple of examples where fraudsters have used a false notification of breach to try to obtain private information on individuals. Has this become a problem as well?
I know banks and credit unions are quick to point out this is not how we contact our clients if there is a problem, but consumers don't always know that. Have you noticed an increase in fraudsters turning the notification process around to their advantage?
Ms. Clark: So that I understand your question well, are you referring to cases where, for example, fraudsters would push an email out to customers of banks, telling them, "There's been a fraud in your account, we want to notify you, please log in and verify all of your information?" That is a form of phishing, a form of obtaining personal information. We have seen these types of instances occur. Banks have very stringent ways and processes in place to catch these types of activities, to block them and prevent them, and they are pretty efficient at ensuring that it doesn't ultimately affect the customers.
If they think there is a risk that some of their customers will be harmed as a result, they will immediately notify their customers to be very careful, to monitor for these types of activities, to be suspicious, and when in doubt, to contact their bank to ensure this is a legitimate request.
Mr. Pigeon: I would ask Jan if she has anything she wanted to share on this point.
Jan Hopper, Assistant Corporate Secretary/Chief Privacy Officer, Credit Union Central of Canada: I don't really have a lot to add to what Nathalie said. Basically, credit unions take the same approach; they actively shut down the phishing site. Also, credit unions provide consumer awareness about this type of fraud and many other types. We have a booklet called Defending Yourself Against Fraud that's available to our members so that they educate themselves and can identify such emails because they are quite frequent, really.
Senator Furey: Thank you all for coming this morning.
Ms. Clark, I want to focus on section 7(2) of PIPEDA, the right of institutions to voluntarily disclose information. Do you think it's necessary that organizations should be disclosing private information voluntarily?
Let me put it another way. The police may go to a bank looking for information for which they need a very specific warrant, but section 7(2) in PIPEDA allows the organization to voluntarily disclose information without ever notifying the client. Is this necessary?
Ms. Clark: Banks already will disclose information amongst each other — for example, through the Bank Crime Prevention and Investigation Office — for the purpose of preventing financial crime. If we suspect that notifying the customer that personal information is being shared would compromise the ongoing investigation to prevent or detect a financial crime, we think it's an appropriate way to actually voluntarily share the information with the other organization.
We do it in the banking industry right now through an investigative body, and we do it primarily for the purpose of preventing financial crime or harm to other customers through that particular crime.
The only time we will not advise the customer is when we suspect that disclosure to the customer would compromise the investigation. Otherwise, we advise the customer. Obviously, if our customers are potential victims, we want to prevent further harm as much as possible. That's the limit within which we use the BCPIO.
Senator Furey: You're touching on some of the good things about this legislation, particularly the protection of vulnerable individuals, but it seems to be a pretty extraordinary measure to be able to voluntarily disclose without informing.
I understand that if it might compromise the investigation there certainly has to be a period of time during which clients wouldn't be informed, but don't you think at some point the bank would have a duty to decline to disclose it?
Ms. Clark: The bank at some point would disclose, absolutely.
Senator Furey: When?
Ms. Clark: When the investigation is completed, for example.
Senator Furey: But you're not required to by law.
Ms. Clark: I think at that point there would be some disclosure.
Maybe Lucie can add what the practices are at RBC, but again, I would emphasize the fact that in the banking industry, the primary reason we share information on a voluntary basis with another organization is to prevent financial crime. That's the primary purpose of why we do that, and that will continue to be the primary purpose for which we will use it under Bill S-4, if it comes to that.
Lucie V. Gauvin, Vice President and Associate General Counsel, RBC Law Group, Royal Bank of Canada, Canadian Bankers Association: I'm not sure I have much to add, other than the purposes for which a disclosure is made is to prevent, combat, suppress some form of criminal activity. If the individual whose information is being disclosed is participating, or if we suspect the individual is participating, then of course we refrain from disclosure until such time as other means are put in place. However, if it is a victim of this fraud or this activity, then, as soon as we can, we will notify the individual.
Senator Furey: I have two more questions.
The Chair: I think Senator Eggleton has a supplementary.
Senator Eggleton: You're talking about disclosing information, sharing information, if you suspect a crime might be committed — elder abuse, or whatever the crime might be. What if it's just a civil case? What if it's a case of an insurance company, for example, looking for information as part of a case that they're processing? What's to stop you from sharing that information with them?
Ms. Clark: Currently, if we suspect there is a breach of the law, we can disclose to law enforcement or to government authorities. So that is already permitted under the act. Going forward, as I said, banks would primarily do it to ensure that financial crime is being prevented or addressed. We didn't have discussion as to what extent this exemption would be used going forward, but I would make the following statement: Generally, banks do not disclose information in relation to their customers without their consent. That's the general rule. I think it's important to state that banks, because of the nature of their activities, will generally abide by these general rules.
Senator Eggleton: But that's your rule.
Ms. Clark: So the exemptions that are provided by the act will be approached very carefully by a financial institution because of the very nature of their relationship with their customers.
When approaching those types of exemptions, banks will take a very conservative approach, will look at it on a case-by-case basis, and will be very careful. If they take the decision to share on a voluntary basis, there will be stringent parameters around that disclosure. It will only be done to the extent absolutely necessary, and as soon as possible the customer will be advised. Because of the nature of that relationship, banks live through their customers, and the disclosure of their personal information is a serious matter. That's how it would be approached.
Senator Eggleton: But you would be making that decision. It's one thing to talk about law enforcement people, but if an insurance company came forward and said, "We have this claim we're processing and we think this person hasn't told us all the truth about something or other, and you have some other information that would be of help to us," you would make some judgment on whether you would provide that and whether you would tell the customer? Is that what you're coming down to: You would make some judgment on that?
Ms. Clark: I think there is a role for the Privacy Commissioner to set up the guidelines around this type of disclosure, and we will be looking forward to guidance that will be provided. Also, I think it's important to take into account that there will be oversight from the Privacy Commissioner over these types of activities. That's what I would say generally. I don't know if my colleagues have some views on that. As it pertains to the banking industry, as I said, we would take a very careful approach in looking at and alleviating ourselves from that type of exemption because of the very nature of our relationship with Canadians.
Ms. Gauvin: I may add that it's not because the legislation allows for disclosure that you automatically give yourself the ability and the power to disclose. As Nathalie indicated, we look at each case individually and make that determination. You are correct; that determination will come down to whether or not we feel that, within the parameters of that provision, we have the ability and we feel it is necessary to disclose.
Senator Eggleton: Without consent.
Senator Furey: I want to go back to that point, because 7(2) is not just about disclosure; it's also about immunity. The banks will have legislative immunity upon disclosing. You are permitted by law to do this. You're telling us that you voluntarily will disclose at some point, even though you are not required to do so, but is it necessary to have immunity from these types of disclosures? In other words, if you were to do something wrong in those disclosures, a client or customer of the bank has no recourse because you're following the legislation which allows you to do this. Is that necessary?
Ms. Clark: I think it's important to keep in mind that if the bank feels that they need to disclose information for the purpose of preventing crime, and do it very rigorously and do it only to the extent absolutely necessary to ensure that crime will be prevented, I think at that point, if there has been a mistake or an error or the bank has over-disclosed in the eyes of either the consumer or the regulatory authorities, then there is a strong oversight on the part of the regulator, but also inside the bank. Then the bank would look at its policies and procedures to ensure that some of it is being reviewed and ensure that these types of activities would be maybe more restrained going forward.
I think it's important to state that there is oversight; and if there is, after the fact, a realization that someone has been overly harmed or that the policies and procedures need to be reviewed, definitely in the banking industry this is something that is going to occur. There's also the Privacy Commissioner, who can come and look at the policies and procedures that the banks have been putting in place and direct the bank or suggest changes to ensure that, as we go, these types of activities are done within the limits that they should be.
Senator Furey: I agree. Trust is perhaps the golden rule for banks. People give you their money. They trust you. If that trust is breached, you may never repair it. What you're telling me now about oversight leads me to believe that there really is no need for immunity, that there really shouldn't be a section 7(2), giving immunity for disclosures, because you look after all of that yourselves in-house.
Ms. Clark: I think when you disclose in good faith for the purpose of preventing financial crime or even harm to some of your other customers, if there's been an error or a mistake in that disclosure, you should not be overly punished for this kind of activity. It's important to give organizations the comfort that, as they go about trying to prevent some of these criminal activities by disclosing, there will be a certain amount of protection.
Senator Furey: Again, it depends a lot on your internal mechanisms, but you don't want to see a situation arise where a bank takes it upon itself to become an arm of law enforcement. That's not their job.
Ms. Clark: I would agree.
Senator Furey: But again, because of the way the legislation is worded, it depends on your internal oversight.
Ms. Clark: As I said, I think it's very important to keep in mind that there's strong oversight on the part of the regulator, but also internally within the bank, to ensure that all these activities are done in compliance with the law and to the minimum limit to achieve the purpose, which in our case again is primarily to combat financial crime.
Ms. Routledge: The reason for this provision is the government is proposing to eliminate having designated investigative bodies. What is being done now within the investigative body is what is being put into this provision in 7(3). It follows what has been done in Alberta and B.C. in their legislation, where they have the ability to share for the purposes of investigating and preventing crimes.
We're sort of matching more what is being done at the provincial level. I'm not aware of problems in the provincial exchanges or investigation problems or activities.
Senator Furey: I'm not against trying to reduce crime, particularly fraud and terrorism, all of those bad, nasty things. I just don't like the idea of immunity. There should be some yardstick that people have to reach before disclosure is actually made. That's my personal view on it.
I want to go back to Ms. Gauvin for a second. In light of this line of questioning, are you able to tell us what if any kind of interaction happens on a regular basis, if a regular basis, or how many disclosures for example are made on an annual basis voluntarily from the bank to police institutions? Give us an idea of what we are talking about in terms of numbers.
Ms. Gauvin: Certainly government institutions have the ability to ask for disclosure of information from organizations under the current regime, and they do exercise that power. They do it through production orders, primarily. They may have had in the past the desire to just ask for the information, but they have been very well trained under the legislation. They know they need to demonstrate valid authority to ask for the information, and they serve production orders on financial institutions when doing an investigation.
I am not aware of a specific number of production orders that are served on organizations.
Senator Furey: I am sorry; I probably confused you with my lengthy question.
I was asking more about voluntary disclosure of information from the banks' end as opposed to warrants issued and presented to banks. Would you have any idea of the amount of voluntary disclosure that's made to police organizations, for example, on an annual basis?
Ms. Gauvin: While I'm not aware of a specific number, I can tell you that, other than disclosing directly to a government institution, the disclosure that we do is through our investigative body. They would have certain provisions in the current regime that allow them to do further disclosure in the context of an investigation, yes.
Senator Furey: Within, say, the Royal Bank, you have an investigative body? All disclosures would go through that particular body?
Ms. Gauvin: All disclosures go through the investigative body.
Senator Furey: They are not represented here today, obviously?
Ms. Gauvin: No.
Senator Furey: Thank you.
Senator Demers: This is something that will hopefully help both sides of the panel here, and senators. This is something that happened, and maybe your answer will give shed light on this.
In 2012 I was in Florida with my wife, spending a little vacation there. One night we went to a restaurant with another couple, and they refused my card. We knew it was not possible at the time. The bank immediately contacted me that someone in Kansas City had, in the span of maybe six, seven hours, spent over $5,000 very quickly. The Royal Bank of Canada was extremely professional in returning the card; I had to get a new card. Then three, four weeks later they paid back the money we lost. They told me that people defraud the system of hundreds of millions of dollars — and as we speak right now — by the minute. They apparently knew my address, my phone number. I guess they could get that.
From 2012 to where we stand today, what has been done to prevent that? Apparently it's still going on, but has there been some adjustment to protect people from this kind of fraud?
Ms. Clark: I can start with a general answer from a CBA perspective. In Canada we have adopted a number of measures to prevent this type of credit card or debit card fraud. We have introduced in this country chip and pin technology in order to avoid some of this crime, and it has been very effective.
We also, through BCPIO, share information amongst institutions. That allows us to prevent and detect some of this crime. Also, as you experienced with the Royal Bank, despite all the efforts that we make — and there is a lot of effort in trying to prevent this type of crime — from an industry perspective we have a zero liability policy for the customer, and our customers are all made whole.
The banking industry absorbs the loss in relation to debit and credit card fraud, which is what you experienced with the Royal Bank. It continues to be a focus. We continue to try to be two steps ahead of criminals. A lot of debit and credit card crime that we have experienced in Canada is also related to larger groups, and some of this crime originates from other jurisdictions, so it's large-scale crime.
As I said, the introduction of the chip and pin technology has mitigated some of the risk, and we continue to monitor this very closely.
[Translation]
Mr. Pigeon: May I add something? We are taking a similar approach in our system. But remember that the credit union system does not issue credit cards. We have contracts with other companies that do issue them, but they follow the same rules as the banks. So it is the same in our case.
Senator Verner: I have a question that is along the same lines as my colleague's. Just a few months ago, something similar happened to my husband. We are Royal Bank customers and they reacted very, very quickly. In the space of a few hours, they realized that there was a problem and they blocked my husband's credit card.
Consumers often wonder if you actually find people who clone cards. Someone used my husband's credit card, no question. But when you ask, the staff at the bank is very reluctant to disclose any information about it. That gives the unfortunate impression that those committing the fraud are better protected than their victims.
This is not a matter of seeking justice oneself, but you often think about where it could have happened. You often wonder what happens to the people who clone cards. Do any of them ever get arrested?
[English]
Ms. Clark: Thank you very much for your question. What I would say is very often there is ongoing investigation. If the debit card or credit card scheme is at a large scale and involves all sorts of other criminal organizations that are quite sophisticated and sometimes originate in another country, it's impossible to share this type of information. It would compromise the investigation. That's the first thing I would say.
I would add, if you allow me, because I didn't specify it when I was answering Senator Demers's question, but banks have very sophisticated internal security systems that allow them to recognize patterns. They know their customers pretty well, the habits of their customers, the use they make of their bank products, and they are able to quite quickly identify when a transaction will be out of character for this particular customer.
I would add that the banks are very well organized as a group to prevent these types of crimes, but they are individually extremely sophisticated and have stringent systems in place to detect and prevent this type of crime. We do catch the bad guys from time to time.
Senator Verner: Good to know.
Ms. Clark: And we do it with the help of law enforcement, and that's part of what the BCPIO is trying to do, to allow banks to share some of this information so that they can actually identify where the crimes originate and stop them.
The Chair: Final question, Senator Mercer?
Senator Mercer: Ms. Clark, in your presentation you said, "We support the need to notify affected individuals and to report to the Privacy Commissioner about breaches that may represent a real risk of significant harm to individuals." How do you define "real risk"?
Ms. Clark: The threshold? If I understand, your question is how do you assess the threshold in the bill, what is risk of significant harm to the individual?
Senator Mercer: Yes.
Ms. Clark: I'm going to let my colleague Linda Routledge, who really has looked at this issue very carefully, respond to this question.
Linda Routledge, Director, Consumer Affairs, Canadian Bankers Association: I think to some extent the bill itself begins the description of what is significant harm. It talks about sensitive information and so on, like that, and the ability to have an impact on the individual, but I think the banks have to look at each case on a case-by-case basis and understand what the impact will be in that particular situation. So it's a combination of the law and subjective assessment by the organization.
Senator Mercer: Thank you, chair.
The Chair: I would like to thank Ms. Clark, Mr. Pigeon and your colleagues for your presentation.
Just briefly to inform the members of the sitting for tomorrow night, we'll have the Office of the Privacy Commissioner. As you know, there is no Acting Privacy Commissioner, but we will have somebody from the office. We have the Marketing Research and Intelligence Association, the Canadian Marketing Association, Michael Geist from the University of Ottawa, and Michael Crystal from Crystal and Associates, so we will be sitting on that tomorrow.
We will adjourn for about a minute and then go in camera for the adoption of the report on C-31, the budget implementation act.
Senator Furey, you had a question?
Senator Furey: Just before we adjourn, chair, and probably to save us some time, could we possibly ask Ms. Gauvin to check with her investigation group within, say, RBC and just let us know what the number of voluntary disclosures would be? And probably present to you, chair, just the number of voluntary disclosures made on an annual basis to give us some idea of what kind of a ballpark we're in?
The Chair: And if the association handles that kind of information from the other banks, I guess you could share it from your other partners, if possible?
[Translation]
There are also credit unions.
[English]
Ms. Clark: We will do our best to look into this issue, and if it is available, we will follow up directly with the committee.
The Chair: Thank you. We will adjourn for a minute.
(The committee continued in camera.)