Proceedings of the Standing Senate Committee on
Transport and Communications
Issue 7 - Evidence, June 4, 2014
OTTAWA, Wednesday, June 4, 2014
The Standing Senate Committee on Transport and Communications, to which was
referred Bill S-4, An Act to amend the Personal Information Protection and
Electronic Documents Act and to make a consequential amendment to another act,
met this day at 6:45 p.m. to give consideration to the bill.
Senator Dennis Dawson (Chair) in the chair.
The Chair: Honourable senators, this evening we continue our review of
Bill S-4, An Act to amend the Personal Information Protection and Electronic
Documents Act and to make a consequential amendment to another Act. It is also
known by its short title, the digital privacy act. The witnesses for our first
panel are from the orphaned — for the next few days — Office of the Privacy
Commissioner of Canada. We have before us Patricia Kosseim, Senior General
Counsel and Director General; and Carman Baggaley, Senior Strategic Policy
Advisor. I will ask you to make your presentation, after which senators will
Patricia Kosseim, Senior General Counsel and Director General, Office of
the Privacy Commissioner of Canada:
Thank you, Mr. Chair and members of the committee, for having invited us to
discuss Bill S-4, An Act to amend the Personal Information Protection and
Electronic Documents Act.
Joining me today is Mr. Carman Baggaley, Senior Policy Analyst.
As you know, the office is in a period of transition. We cannot speak on
behalf of the soon-to-be-appointed commissioner. But as you have asked us to
appear today we will be presenting our views as they have evolved after more
than 10 years' experience applying the act under the leadership of Commissioner
Jennifer Stoddart, and more recently, Interim Commissioner Chantal Bernier.
Let me begin by saying we are very pleased the government has introduced
legislation to update PIPEDA. This is the third such bill that has been
introduced, and we hope that Bill S-4 will, in fact, result in legislation.
We have provided the committee with a detailed written submission on Bill
S-4, but given the time we have today, we will limit our comments to the more
We believe Bill S-4 will strengthen privacy protections for Canadians in
their dealings with private-sector companies and build consumer trust in the
digital economy. In particular, we welcome the proposals to introduce mandatory
breach notification and voluntary compliance agreements.
Let me turn to those two to begin with. Requiring notification of breaches
that pose a "real risk of significant harm" will bring PIPEDA in line with
notification laws of many other jurisdictions. The notification proposals in
Bill S-4 strike a reasonable balance, in our view.
Furthermore, requiring organizations to keep and maintain a record of every
breach and provide our office with a copy of such record on request are
important accountability mechanisms that will allow our office to evaluate
compliance with the notification provisions and assess how organizations are
making the determination whether to notify.
The proposed compliance agreements are an innovative way of encouraging
organizations to work with our office to improve their practices while providing
our office with a recourse mechanism to ensure that companies follow through on
their commitments they make pursuant to our investigations.
The proposal to extend the window for filing applications in the Federal
Court from 45 days to one year gives all parties more flexibility to resolve
complex issues within a more realistic time frame.
We are also pleased by the proposed amendments to clarify the requirements
for valid consent, and by the proposal to broaden the scope of information the
commissioner can disclose in the public interest.
The proposed amendments to allow disclosure to communicate with the next of
kin or to identify an injured, ill or deceased person serve important
compassionate and humanitarian purposes.
The proposal to allow disclosures to facilitate business transactions
addresses a gap that has become apparent since PIPEDA was passed, and the
safeguards built into these provisions should minimize the risk of abuse, in our
We do, however, have some reservations about two new proposed paragraphs:
7(3)(d.1) and (d.2), which would allow an organization to disclose
personal information to another organization without consent in certain
circumstances. We are concerned that these two amendments could lead to
excessive disclosures that would be invisible both to the individuals concerned
and to our office. In our submission, we suggest some ways to minimize the risk
of over-disclosing, and we urge the committee to consider ways to require
organizations to be more transparent about these disclosures.
Lastly, we also believe more transparency as required around disclosures
under paragraph 7(3)(c.1). This paragraph allows organizations to disclose
personal information without consent to government institutions with lawful
authority to request information it suspects relates to national security, or
for certain purposes, including law enforcement.
We recommend that, at a minimum, organizations should be required to keep a
record of these warrantless disclosures, and make this data publicly available
in aggregate form, as some American-based organizations currently do.
Thank you. We would be pleased to answer any questions you may have.
The Chair: Thank you for your presence. We know, under the
circumstances, that you are in an awkward situation, but we are glad that you
could join us.
Senator Mercer: Again, thank you for coming here. As Senator Dawson
said, we appreciate it, particularly under the current circumstances.
Your last point with respect to 7(3)(c.1) and allowing organizations
to disclose personal information without consent to government institutions, we
have heard in the last couple of weeks of the dramatic number of requests that
were made. The acting commissioner released that to the public. I think
Canadians are surprised, shocked and probably concerned that this has happened.
It seems to me that we need to find a way that protects Canadians. We
understand there is a need for that information to flow to certain government
agencies so that they can do their work properly. But at some point, if
government agencies request information on Canadians and it is not in line with
a criminal investigation, then don't you think that Canadians deserve to know
that a request was made for their personal information?
Ms. Kosseim: Thank you for that question. The figure that was
disclosed recently through an ATIP request on the number of requests that were
made to telecommunications companies was indeed a large number. A subset of
those requests was actually responded to. That is the first point of importance
We think that, indeed, greater transparency around the number of requests
that are made, the number of times disclosures are denied or pushed back, the
number of disclosures that are made, the types of information requested, whether
or not they were done with a warrant, subpoena or court order, those are the
kinds of aggregate data that we believe should be reported on by companies, as
many U.S. companies do, certainly through transparency reports, and we think
that would be a good thing to have here as well.
Senator Mercer: If I recall the data that were released, none of the
requests were attached to a warrant. I think what is more shocking than the
number of requests is that no warrants were attached to these requests. Big
Brother is watching here, but most of us want to make sure that Big Brother, if
he or she is watching, has to respect our right to privacy and liberty under the
Charter of Rights and Freedoms as well.
How do we tighten this up without limiting the need for law enforcement
agencies and government enforcement agencies to have access to this? Is there a
way we can tighten it up without hindering that important role that government
Ms. Kosseim: There are a couple of ways. First, the parameters of what
can be disclosed under 7(3)(c.1) is presently a question before the
Supreme Court of Canada. We expect a decision fairly soon, and so we will have
guidance in terms of what can be requested in cases without a warrant and what
are the parameters around lawful authorities. I think that will be helpful for
everyone in interpreting and applying provision 7(3)(c.1).
The transparency reports that we call for and we hope will be adopted as a
practice in Canada, as it's done in the U.S., certainly is a mechanism for
enhancing accountability and giving the telecommunications companies or other
companies the courage to ask some tough questions, do their due diligence, ask
for the source of lawful authority, question the requests and, in some cases, if
they find it is legitimate, give the information, as it is their discretion to
do so. But other times, they have the right to push back and to hold back the
information. I think the accountability or the transparency reports will give us
a better sense of what the current practice is, and in how many instances and
what types of requests have been made, and what were the responses. I think that
is a very important mechanism for ensuring, at the very least, greater
accountability and transparency.
Senator Mercer: Perhaps we have put the cart before the horse here. We
are debating this legislation while there is a ruling anticipated from the
Supreme Court of Canada that may affect a very important part of this bill. I
guess the good news is that it will not pass in the House of Commons. Even if it
passes the Senate, it will not pass in the House of Commons before the summer
break so that the Supreme Court of Canada ruling could take effect.
My last question is with regard to the issue of a record of every breach of
privacy. The Privacy Commissioner will have access to that only on request. I
have asked this question before, but not of people in your position.
It would seem to me that it would be beneficial to the Privacy Commissioner
to see all the breaches — not necessarily investigate all breaches — to see what
the trends are. If there are trends happening in a particular mode, device or
industry, or a particular type of breach, it would be beneficial for the Privacy
Commissioner to see those trends, and you can't see those trends if you are only
looking at reports that you get on request.
Do you not think that you should be looking at all breaches? When I say
"looking at," I don't necessarily mean examining each one individually, but at
least have a record of them in-house so that if you need to respond to and
analyze trends, you have the data in-house.
Ms. Kosseim: I think "on request" probably does strike the right
balance; otherwise we would expect to be flooded by a lot of breach reports. I
think "on request" allows us to make the request of individual organizations in
the context of a breach or a complaint investigation, but it also allows us to
ask several organizations, in the case of an audit of the industry or the
sector, for instance. As long as we can request this information when we need it
in order to carry out our investigations and our audits, we think that strikes a
reasonable balance and is probably just the right measure of information that we
would probably need when we would need it.
Senator Verner: My first question concerns the communication of
information between two private organizations. Some witnesses who appeared
before our committee expressed concern about possible abuses.
We understand clearly that the exchange of information between two private
organizations could be used, in particular, to prevent fraud and
insurance-related financial problems. We understand that sensitive data on the
health of individuals could also be disclosed.
In order to balance expectations, that is the need of private sector
enterprises to exchange information, and the need of consumers to have their
rights protected, if Bill S-4 becomes law, will you have the necessary
regulatory powers or administrative mechanisms to monitor all of this and
achieve a balance?
Ms. Kosseim: Thank you for the question. It is an excellent question
and, in fact, you will see in our brief that we express concerns with regard to
that provision. However, we also have some suggestions to make to achieve that
balance. For instance, we suggest that, at a minimum, you seriously review the
provision that would allow that exchange in the name of preventing fraud. We
understand that when there is documented fraud, it has to be examined or
stopped, but to act to prevent fraud leaves the door wide open to a type or
surveillance or monitoring and exchange of information, when there is neither
need nor justification. In our opinion, preventing fraud is a wide open door,
and we suggest that the text be tightened somewhat by eliminating that part of
the proposed provision.
Secondly, we recommend that the threshold of "reasonableness" be raised to
necessity. One again, if disclosure can only take place when it is necessary and
not when it is simply reasonable, this would be one way of tightening up
disclosure between organizations.
Thirdly, and in the same vein as our comments on this issue, regarding
paragraph 7(3)(c.1), we believe more transparency is required around
these disclosures, and for the same reasons, we suggest that there be at least a
registry where organizations keep a record of cases where they share information
with other organizations, and the reasons for these disclosures, in the interest
of fostering greater transparency and accountability.
Finally, if the provision comes into force, we would like it to be
interpreted in a narrow way. We would expect organizations to show due diligence
and review any request made by another organization to determine if the
information is really necessary, if all of the information is necessary, or
perhaps less of it, and if the disclosure will really put an end to a case of
fraud. All of these questions have to be raised, and requests studied on a
case-by-case basis, so as to avoid the exchange of information between
organizations without accountability. Those are our suggestions to you
concerning those two provisions.
Senator Verner: Regarding the registry, the Canadian Bar Association
and the Credit Union Central of Canada expressed concerns about the
administrative burden and additional costs that would be created by a registry
on violations of privacy, and the mandatory reporting of situations to the
Office of the Privacy Commissioner. Among other things, they were particularly
concerned about the financial burden this could place on very small businesses.
Do you think these fears are justified? Are you in a position, at the Office
of the Commissioner, to evaluate the financial impact of keeping a registry of
this type, particularly on small businesses?
Ms. Kosseim: I must say that we have no concerns in that regard. In
our opinion, creating a registry would be the minimum an organization could do
to document violations of privacy. As we say, we cannot evaluate what we do not
measure. So if no violations of privacy are recorded, how can businesses
self-assess to see if they are improving, if they have closed loopholes, or met
needs, or tightened their security measures?
That is the first step they must take to see what is happening, to set out
the facts for their supervisors, and to make sure discussions regarding
violations of privacy reach the highest echelons of the company.
Senator Verner: When Minister Moore appeared before the committee, I
asked him, in light of the fact that he will be entrusted with an important new
duty and responsibility involving the Office of the Commissioner, if the office
would have sufficient funds and resources to assume this role following the
adoption of Bill S-4. He replied that the interim commissioner was favorable to
the bill, as you said, and that she had not requested new funds for its
implementation. Would that be your opinion as well?
Ms. Kosseim: Once again, thank you for this very relevant question. We
discussed resources with Industry Canada personnel and shared our concerns in
this regard, all the more so since this past year we have experienced an
increased rate of reports from the private and public sectors. To give you some
idea, reporting has been mandatory in the public sector for a month now, that is
to say since the Treasury Board directive was issued. In the space of a month,
there has been a 239 per cent increase in the number of reports, as compared to
the same period last year.
So it is fair to say that we can expect a heavier workload. All of the
reports will not, of course, lead to investigations, but nevertheless, there
will be considerable work to do to sort and assess the information, and to speak
to the companies concerned; we will do our best with what we have. However, it
is clear that there will be an impact on resources.
Senator Merchant: I have a further observation on permitting the
disclosure of an individual's personal information without their knowledge or
consent in certain limited circumstances. Then why not notify people? For
instance, with wiretapping, I think you notify 90 days later. This way, you
almost have the public monitoring what is happening. If you get a lot of
complaints, then you know there is a problem there. Why not have something
similar on this occasion?
Ms. Kosseim: Thank you for the question. There are some provisions
that require notification, even when there is a consent exemption explicitly.
But as a fallback, there is still the important principle of openness and
transparency, where we would expect organizations to be transparent about
potential collections, uses and disclosures without consent upfront with their
So there is both explicit reference in some instances, as well as the general
principle of openness and transparency.
I will ask my colleague to specify or add anything.
Carman Baggaley, Senior Strategic Policy Advisor, Office of the Privacy
Commissioner of Canada: I think the wiretap example is a useful analogy.
That's a provision that has been in the Criminal Code for many years, and law
enforcement seems to be able to live with the knowledge that the wiretap will be
released after a certain point if it's not used for the purpose of an
investigation. I think that's a useful model where we could look at ways of
trying to build in some mechanism to ensure that some of these disclosures will
be made public in certain circumstances. Certainly not where it's in the midst
of an investigation or in the midst of some concern with anti-terrorism or
something else, but there should be a mechanism to allow disclosure that's not
The Chair: Thank you very much for your presentation. We understand
the circumstances. We appreciate your coming before us and we hope that you will
be blessed by a good Privacy Commissioner.
We are continuing our review of Bill S-4. We have a panel from the Marketing
Research and Intelligence Association and from the Canadian Marketing
From the Marketing Research and Intelligence Association, we have Kara
Mitchelmore, Chief Executive Officer; and Annie Pettit, Chair of Publications.
From the Canadian Marketing Association, we have Wally Hill, Senior
Vice-President Government and Consumer Affairs; and David Elder, Special Digital
Privacy Counsel and Counsel at Stikeman Elliott LLP.
We will be hearing from the Marketing Research and Intelligence Association.
Kara Mitchelmore, Chief Executive Officer, Marketing Research and
Intelligence Association: I'm with the Marketing Research and Intelligence
Association, MRIA. I'm here with Dr. Annie Pettit, who, among other hats she
wears, is MRIA's chair of publications.
First, thank you for inviting us to speak to you on Bill S-4, the digital
The MRIA is a national self-regulatory association representing all sectors
of the Canadian marketing research industry. Our members include over 1,500
individual research professionals and nearly 350 research agencies, as well as
buyers of research services such as financial institutions, major retailers,
insurance companies, telecommunications firms and manufacturers.
MRIA has always been supportive of PIPEDA. Our members devote a significant
amount of time and effort to protecting our good relationship with the public,
including taking steps to respect a person's right to privacy. We believe that
PIPEDA has been effective and has led to considerable positive change in the way
businesses operate in Canada.
We're here today to offer our general, but reserved, support for Bill S-4. We
believe that a number of provisions in Bill S-4 are a step in the right
direction, as they address gaps that exist in Canada's privacy framework.
Paradoxically, we caution that other proposals in Bill S-4 would diminish
privacy rights in Canada.
We're going to offer comments on five specific issues. Our support or
concerns are limited to those five issues, which are outlined in greater detail
in a brief we submitted to Mr. Charbonneau.
First, a brief notification: More than ever, organizations can amass
significant amounts of data about individuals. Unfortunately, we are reading
more and more about major breaches involving thousands and millions of
individuals. Canadians must be made aware of these breaches so they can protect
As such, MRIA supports the mandatory breach notification requirement. We
consider this to be the most important and positive proposal contained in the
bill. With easy access to big data and unprecedented identity theft, it is no
longer sufficient that notification of a breach be a moral obligation — it must
be a legal one.
There is a caveat, however. We recommend that the bill be amended to state
that the Privacy Commissioner is responsible for determining whether a breach
creates a real risk of significant harm to an individual. Having this
determination rest with an organization where a breach has occurred creates a
potential conflict of interest with too much subjectivity. We see this unbiased
assessment role as a natural extension of the commissioner's mandate, and it
would result in a more objective assessment of whether significant harm has been
We also propose that organizations responsible for breaches should be
required by law to offer free credit monitoring for a one-year period to those
affected as an added measure to protect them from identity theft.
Second, valid consent: MRIA fully supports the provisions in Bill S-4 which
provide added clarity for organizations when they seek the valid consent of an
individual. We believe that specifying the elements of valid consent will go a
long way to protecting the most vulnerable Canadians, such as seniors and
Regarding the issue of consent by minors, this committee might be interested
in MRIA's Code of Conduct and Good Practice, which contains a section on
the ethical issues involved with interviewing children and young people, and the
special care and precautions required on the part of the researcher. For
brevity's sake, an excerpt of our code of conduct is included in your brief.
Third, prospective business transactions: We are pleased that the government
recognizes the need to amend PIPEDA to allow the transfer of personal
information from an organization to a prospective purchaser or business partner.
I won't go into details, but we are supportive of this provision. Annie will
now finish our comments.
Annie Pettit, Chair of Publications, Marketing Research and Intelligence
Association: Fourth, sharing of information between organizations: MRIA does
not support the clauses in Bill S-4 which permit organizations to disclose
personal information of individuals, without consent, to another organization,
even for worthwhile purposes such as investigating a breach of an agreement or
an alleged fraud.
Disclosure between organizations without consent should continue to require
the oversight of a legal body, such as a court order or other due process of
While loosening the privacy laws might simplify investigations for
organizations into possible breaches of fraud, MRIA believes such an allowance
would go against the foundation that PIPEDA was built on; namely, that
safeguards must protect the personal information of Canadians unless warranted
by justifiable circumstances.
We believe this proposed clause could be used as a loophole, allowing
organizations outside of government or law to circumvent legal due process. This
would create an environment ripe for abuse. Similar to what Kara stated, there
is too much subjectivity at play to allow organizations to make the proper
determination as to whether consent is required. The guidance and oversight of a
neutral and authoritative body, such as the courts, is required to avoid
creating conflicts of interest.
Fifth is the sharing of information between government institutions and
organizations. We also wish to comment on an existing provision within PIPEDA
that allows organizations to share without consent personal information with an
investigative body or government institution.
We aren't experts in legal investigations or issues of national security. We
are, however, alarmed by media articles reporting that in 2011, government
agencies made 1.2 million requests, without warrants, to telecom companies to
disclose information of hundreds of thousands of customers.
We believe that when PIPEDA was first adopted, legislators intended to strike
a balance between the need to protect personal information and the need for
authorities to access personal data in specific circumstances. It seems
unthinkable that legislators would have foreseen such alarming rates of
circumventing the need for a warrant.
Rather, we believe that these provisions are being used as a loophole to
avoid due process. We therefore urge this committee to use this opportunity to
close what we consider to be a loophole by proposing new provisions in PIPEDA
that more clearly outline the parameters that government institutions must
follow when requesting personal information without consent.
To conclude, market and survey research play a pivotal role in our society by
giving voices to the opinions of Canadians and helping to influence and improve
public policy decisions. We must protect the public goodwill that exists for
marketing researchers. As disciplined as researchers are in respecting privacy
rights, the actions of other industries have at times damaged the relationship
we have with Canadians.
PIPEDA was highly effective in raising the privacy bar. We believe that some
of the proposals in Bill S-4 will make PIPEDA even more effective. All other
provisions that might weaken privacy rights should be removed from the bill.
MRIA is a champion for an enhanced privacy framework in Canada, and we
appreciate this opportunity to make some suggestions on how this committee can
The Chair: Thank you. I will ask Mr. Hill and Mr. Elder to make their
statements, and we will go to questions from the senators.
Wally Hill, Senior Vice-President Government and Consumer Affairs,
Canadian Marketing Association: Thank you to the committee for the
invitation to appear before you today to comment on the digital privacy act, or
The Canadian Marketing Association, or CMA, is the largest marketing and
advertising association in Canada, with roughly 800 corporate members, embracing
Canada's major business sectors and all marketing disciplines, channels and
technologies. The CMA is the national voice for the Canadian marketing
community, and our advocacy efforts are designed to create an environment in
which ethical marketing can succeed.
CMA has been at the forefront of the Canadian privacy landscape for many
years. Since the early 1990s, the association has had a mandatory code of ethics
and standards of practice that has included privacy protection principles. In
1995, the association was the first business association to publicly call for
national privacy legislation in order to better establish the basic principles
for the protection of personal information.
The CMA code is recognized as the self-regulatory road map for Canada's
marketing community, and it is viewed by many governments and regulatory bodies
as the benchmark for ethical marketing and effective industry self-regulation.
With the increasing collection, use and storage of personal information, CMA
remains convinced that effective privacy legislation is crucial for a healthy
marketplace. It establishes clear parameters for good business practices and, as
articulated in the preamble of PIPEDA, the law was designed to protect personal
information and thereby promote electronic commerce, which we all know is an
increasingly important component of the Canadian economy.
A recent BrandSpark International study sponsored by CMA revealed that 52 per
cent of Canadian consumers remain uncomfortable with companies collecting their
personal data online. CMA beliefs that many of the provisions in Bill S-4 will
help to increase consumer confidence in electronic commerce by strengthening the
existing privacy protection framework.
With a few minor caveats, CMA supports the government's effort and this bill
to update Canada's private-sector privacy law. During the first review of PIPEDA
in 2006-07, CMA encouraged the Privacy Commissioner to develop national breach
notification guidelines, which were developed and issued in 2007. The
government's subsequent consultations with stakeholder groups then resulted in a
set of breach provisions that have now been included in Bill S-4. Our
organization continues to support those changes.
However, we would urge senators and members of Parliament to consider
amendments that would clarify and improve certain provisions. To that end, I
will focus my remaining comments on four key provisions in Bill S-4.
One of the bill's provisions, clause 10.3, requires that organizations "keep
and maintain a record of every breach of security safeguards involving personal
information under its control." The notification requirements are a logical
improvement to PIPEDA, but we believe the legislation should be amended to
clarify the scope and the duration of these requirements. Bill S-4 requires
organizations store all those records of breaches indefinitely. The legislation
as currently drafted needs to be considered in light of the challenges that this
would pose for all organizations.
It would be helpful if the legislation were to identify the purpose for the
retention of records to serve as a guide for regulations that will inevitably be
drawn up to prescribe what information needs to be retained and under what
Of greatest concern is the fact that Bill S-4 does not indicate the length of
time for which breach information should be kept. It is unreasonable and, in
fact, contrary to good privacy practices to expect companies to keep such
personal information for an indefinite period of time. Therefore, CMA believes
that the data breach retention period should be clearly established in the law,
and we would recommend that a reasonable retention period for breach-related
records would be two years.
Proposed subsection 17.1 would give the Privacy Commissioner the power to
enter into compliance agreements with organizations. CMA supports that
initiative. We understand that the agreements are voluntary, so organizations
will have a choice as to whether they wish to enter into an agreement with the
commissioner. We believe that's entirely consistent with Canada's successful
ombudsman model for privacy protection and regulation.
However, we're again concerned about the potential for unintended growth in
the scope of these agreements, and we would like to see an amendment that would
ensure that such compliance agreements will be consistent with the objectives
and jurisdictional confines of the current powers of the Privacy Commissioner.
Proposed subsection 20(2) states:
The Commissioner may, if the Commissioner considers that it is in the
public interest to do so, make public any information that comes to his or
her knowledge in the performance or exercise of any of his or her duties. .
While we appreciate the need for the commissioner to provide useful and
appropriate information to consumers, we are concerned that the language
proposed is again overly broad. We would like to see the wording adjusted to
ensure that commercially confidential information is protected. We understand
the motivation is to allow the commissioner to report information relating to
compliance agreements to the public on a need-to-know basis, but we're concerned
that excessive disclosure of case-related information to the public could
undermine the ombudsman model by casting a chill on the working relationships
between the Office of the Privacy Commissioner of Canada and the organizations
Last, I would like to discuss proposed section 6.1, which further elaborates
on the definition of what it means to obtain valid consent.
Based on previous discussions in the Senate, in this committee and in other
government settings, it has been clearly stated that this clause is designed to
protect certain groups, particularly minors, groups that may have difficulty
understanding privacy and related consent language. The CMA strongly agrees with
this effort. Our own code of ethics has contained special provisions about
collecting the personal information of children and teens for many years now.
However, once again, this clause can be interpreted broadly and could lead to
a broad reinterpretation of the consent requirements that have been established
through PIPEDA over the past decade or so. CMA would like to see this particular
provision better defined to make it clear that minors or other vulnerable groups
are the intended focus of the section perhaps by amending it so that it applies
to "the consent of individuals belonging to classes of persons who are
especially vulnerable," which is, in fact, the wording used for similar purposes
in section 52 of the Competition Act.
To conclude, Canadian marketers and CMA fully recognize that consumer
confidence is of paramount importance and that privacy protection is a key
element of that. Simply put, CMA and responsible marketers know that respect for
personal information is good for business, and that is whether it's online or in
the bricks-and-mortar world.
We thank the committee for its attention and will be pleased to answer any
The Chair: Thank you very much, Mr. Hill.
Senator Mercer: Thank you all for being here; I appreciate your time.
Ms. Mitchelmore, in your presentation, you, like many others, have talked
about the Office of the Privacy Commissioner of Canada being appointed the body
responsible for determining whether a particular breach creates a real risk of
significant harm to an individual. How do you define "real risk"?
Ms. Mitchelmore: Thank you for the question. It is an interesting
question because that is what this whole conversation is about. MRIA's opinion
is there is so much subjectivity in what would constitute substantial harm that
organizations cannot be put in a position where they are making this breach
decision by themselves. This has to be something that is clearly articulated and
outlined in any legislation that we bring forward.
They don't have the expertise. It cannot be realistically assumed that an
organization will be compliant. This is why we feel that it is not in the best
interests of the Canadian public to put it in the hands of the organizations to
define what actually constitutes harmful or mistrust or a real risk of identity
Senator Mercer: You further go on in number four of your presentation
on page 3 talking about the sharing of information between organizations. This
is a particular part of this bill that I am concerned with, and I noticed that
you indicate you don't support it, either. You go on to say that "we" — meaning
you — "do not believe that PIPEDA should be used by organizations that are
outside of government or law authority to circumvent legal due process."
Can you give us an example of how that might manifest into someone actually
Ms. Mitchelmore: That is a very good question. Thank you.
When we were discussing this and what our opinion was based on the sharing of
information outside of government or law enforcement, it became an area that we
felt could be manipulated. While there are some instances when you have the
banking institutions that will come and talk about senior fraud and how this
could help eliminate some of the senior fraud issues if we were able to share
information that was outside of a warrant, we were of the belief at MRIA that
for information that is that sensitive and with the ability to link up digital
information in order to get additional personal information about individuals,
we felt it was a highly contentious issue for us to allow organizations to be
able to share that level of information. I will ask Annie if she wants to add
anything else to that.
Ms. Pettit: Sure. Fortunately, the kind of work the MRIA does means
that we are somewhat less at risk in this area. A financial or health
institution holds a lot more sensitive information. In our case, there may be
email addresses or home addresses, but there are far fewer instances where we
might have data that could be harmful if shared. Although on occasion, that sort
of thing could happen.
We are lucky in this instance, but we still strongly believe that if there is
a warrantable cause for seeing this kind of information, if it is justifiable,
then it logically leads to the next stage so that a court order would be the due
Senator Mercer: Thank you very much. Mr. Hill, you commented on how
long data breach records should be kept. You recommended two years. I have been
of the opinion that all data breaches should be reported to the Privacy
Commissioner, and if everything is reported to the Privacy Commissioner, then
they can determine how long the records are kept and/or stored offsite.
I am concerned that if you only store things for two years, you may not be
able to determine and detect trends that are emerging in data breaches that
happen because it may take some time, although in today's age, things happen
rather quickly. Trends sometimes take a while, and I think not keeping records
for more than two years is not right.
Would you endorse the concept of reporting all data breaches to the Privacy
Commissioner and allowing the Privacy Commissioner to make that determination?
Mr. Hill: I don't think I would endorse that approach. I would share
the concern that I think has been articulated by the Privacy Commissioner's
office, that they are concerned about being flooded with minor cases of minor
breaches that are not a concern, and they want to address those breach incidents
that pose a risk to consumers. So I would share the concern that you would
potentially be overwhelming that organization with notifications.
Senator Mercer: I would contend that a minor breach today,
undisciplined or unmanaged, could lead to more serious breaches later. I will
pass now. Thank you very much.
Senator Plett: My biggest concern is that I am starting more and more
to think like Senator Mercer does in that he asks my questions before I get to
them, and that is a real concern to me, chair.
My question is also related around the significant risk, and it was going to
be my exact question: How do you determine significant risk? You have answered
that, but I want to continue along that vein.
When I read 10.1(1), it states:
An organization shall report to the commissioner any breach of security
safeguards involving personal information under its control if it is
reasonable in the circumstances to believe that the breach creates a real
risk of significant harm to an individual.
You then go on to talk about section 10.1(8):
The factors that are relevant to determining whether a breach of security
safeguards creates a real risk of significant harm to the individual
(a) the sensitivity of the personal information involved in the
(b) the probability that the personal information has been used, is
being or will be misused; and
(c) any other prescribed factor.
Then when we continue on, we find fines up to $100,000 per failure to notify.
You are suggesting that we make the Privacy Commissioner the sole person
responsible. That would take the onus off of me, in my opinion, if I'm the
organization, because now the commissioner will determine that I have no more
responsibility. I think I have more of a responsibility if the onus is on me to
report any breaches because if I don't and I am found guilty, I will be fined
$100,000 per offence. Yet, in your presentation you say "a further protection"
and you think it is more of a protection to put the Privacy Commissioner
entirely in charge.
Please elaborate on where you get that because I think you're doing the
opposite if that amendment were ever to come in.
Ms. Mitchelmore: Those are great comments and thank you for that
question. One of the things we have to look at is size and scope. If I'm a large
organization, $100,000 is much less of a risk to me than a reputational risk of
having to go out and disclose.
When we talk about how much of a deterrent is $100,000, well, how much of a
deterrent is having to disclose and put out notifications to all clientele? When
we were going through this we were taking a look at some of the large
organizations and these are multi-million dollar contracts that they're doing
and $100,000 will not hurt their reputation as much.
The other thing we put into consideration is something we deal with every day
with MRIA, because we have standards and a code of conduct for our own members
across the country. We have to take the responsibility for determining if there
is a breach and figuring out what the sanctions will be. We do that so every
complaint gets a fair hearing and it is based on fact that goes through our
consideration and our committees to make sure that we are up to date on all of
the standards, the codes, the conduct and the sanctions that are involved so
that we are making a decision based on fact that is unbiased.
Our opinion is that it isn't unbiased for our organizations and the statement
that organizations would act in good faith because they would just act in good
faith from a business environment; while we would love to believe that
statement, where we see every day in the media and in the news that that doesn't
occur, that is not something that we would support.
Senator Plett: Those are valid arguments and I appreciate them.
Considering large organizations, I assume you would put Google into a large
organization. The chances are pretty good that if Google has had one breach they
have had a thousand breaches. A thousand times $100,000 is not an insignificant
amount of money even for Google. Granted, if they are found having breached one
case, $100,000 may not be a big deal but that likely wouldn't be the case for
Google. That might be for a smaller organization and for a smaller organization
a $100,000 fine would be significant.
I'm not the witness and it's not my position to debate with you but, again, I
want you to square that box. If the Privacy Commissioner finds out Google has
breached 1,000 times and Google says, "Oh, sorry, we'll try to correct that," if
Google is responsible or they will face a $100,000 fine times 1,000 I think they
will want to report that breach quickly.
If you want to comment further you can.
Ms. Pettit: I would like to comment. This is a lot of our concern
around subjectivity. It's very easy to say, "I didn't think it was a big deal
but now that I'm found out and you tell me it's a big deal, I apologize." That's
much easier to do to avoid reporting because I don't think it's a big deal. If
we put the onus, remove the subjectivity, from the business to the Office of the
Privacy Commissioner, then there's none of that subjectivity around what is
embarrassing and what has potential risk. That line can be drawn anywhere
depending on who you are and what company or individual you represent. We just
don't think it's appropriate to put that onus on the business. The business
should report and the Office of the Privacy Commissioner of Canada can determine
whether that is truly significant harm or that is inconsequential.
Senator Plett: "Significant" would be in the eye of the beholder, so I
guess we respectfully disagree.
Ms. Pettit: Absolutely.
Mr. Hill: We would take a different view and would argue that most
organizations in this country are responsible businesses. Whether it's Google or
another large organization, they have a lot to lose in terms of not adhering to
damaging to an organization to be found to have committed some infraction.
I would suggest that putting the onus on private sector organizations to
assess the risk to their customers — after all, these are their customers; these
are their businesses — is perfectly in keeping with the spirit of PIPEDA and how
it has operated in the past. I think, while the question is about how we assess
the risk of harm, sensitivity is one of the issues.
The other prescribed factors are mentioned in the legislation. I would
suspect the Privacy Commissioner and others will be consulted as to what some of
those prescribed factors that should be put in regulation. However, at the end
of the day, those would then serve as guides to the businesses and organizations
that are responsible for their customers' personal information. I believe the
legislation has it right.
Senator Plett: Thank you; so do I.
David Elder, Special Digital Privacy Counsel and Counsel at Stikeman
Elliott LLP, Canadian Marketing Association:
I think I may be coming at this a little differently or seeing this a bit
differently. When I read this provision it doesn't say "an organization in its
sole discretion shall determine where it's reasonable to conclude there's
significant risk of harm."
This is a legislative standard I think necessarily at the front line when
confronted with that situation the organization will make that call but they'll
make it knowing that it's part of a legislative standard that will ultimately be
reviewable by the Privacy Commissioner on a complaint basis to see whether it is
reasonable in the circumstances. Ultimately, a court would look at it and ask,
"Well, was that reasonable in the circumstances?" I think there is a check in
I don't know how you would work it otherwise, frankly, unless all breaches
got reported to the Privacy Commissioner who then made a call about whether
there was a real risk of significant harm. I think there are some protections
built into that environment and there is some oversight eventually by the
Privacy Commissioner and, again, ultimately by the courts.
Senator Plett: Outvoted two to one.
The Chair: We won't poll on that.
Senator Merchant: I have a further observation on Mr. Hill's
observations about collecting this data for an unspecified amount of time.
Information collected on a 20-year-old today may not be that significant but
maybe it will in 15 or 20 years because people's positions change and people do
grow up. In 20 years, that information may be very embarrassing or that person
may not want that information to be out there, stored and collected forever,
because standards change, too. In Shakespeare's time, in the Merchant of
Venice, we know that money lending and charging interest was frowned upon;
it was usurious, but right now the banks are doing the same thing. Standards
have changed. To keep something indefinitely seems frightening and unreasonable.
Mr. Hill: We certainly share that concern.
Senator Merchant: I do not know how you're at the two years.
Mr. Hill: I will let David speak to the two years. We've had some
discussion on this point, as to what to put forward as a proposed period of
time. I'll let David elaborate but it is open to some discussion. Indefinite is
not a good situation and I think, as you've pointed out, retaining personal
information always poses a risk. At some point the potential returns drop way
off and the risk far outweighs holding that information.
Mr. Elder: One of the fundamental principles of the act as it stands,
which would not be altered, is record retention. That is, you retain records for
only as long as you reasonably require them and then you destroy them or
obliterate them in some way after that. That is just good practice. It does not
just apply to personal information but I would argue for all types of records. I
would think responsible organizations have these kinds of record management and
retention policies where they've thought about each of these different types of
records and bits of data they have. They look at various legislative
obligations; they look at their reasonable business obligations and come up with
a schedule for retention. I think that is all we are saying. We can quibble
about the numbers.
Two years is a standard limitation period in civil litigation. If you don't
sue within two years in most cases, that's the end of it, which is why we went
on to that one. That forms the basis of a lot of companies' retention schedules.
We can quibble with the number, but the problem we think is indefinite, is
not a good practice. It can also be an onerous burden to retain that information
for that long.
Senator Merchant: I wanted to align myself with these two gentlemen.
The Chair: If there are no further questions, we will thank the
witnesses. Thank you very much for your presentations.
The witnesses for our final panel are Michael Geist, law professor from the
University of Ottawa; and Michael Crystal, a lawyer at Crystal and Associates. I
invite Professor Geist to make his presentation and then we will hear from Mr.
Crystal. Afterwards, senators will ask their questions.
Michael Geist, Law Professor, University of Ottawa, as an individual:
Thank you for the invitation. As you heard, my name is Michael Geist. I am a law
professor at the University of Ottawa, where I hold the Canada Research Chair in
Internet and E-Commerce Law. I appear today in a personal capacity representing
my own views.
I would like to structure my remarks by focusing on what I think are three
welcome elements in Bill S-4, three areas that are in need of improvement, and
identify what I think is one glaring omission.
First, the welcome elements: Bill S-4 importantly provides additional
clarification on the standard of consent. Given that meaningful consent provides
the foundation for the law, I think the clarification is much needed,
particularly for minors. Consent is meaningless if the person doesn't understand
to what they are consenting. By clarifying the standard of consent, businesses
will have greater certainty and a clear obligation to ensure that Canadians are
better informed about the collection, use and disclosure of their personal
Second, the expansion on publicly disclosing information by the Privacy
Commissioner I think is also welcome. I have long argued that that office
adopted an unnecessarily conservative interpretation of the current provision
that allows for naming organizations subject to well-founded complaints. The
expansion of the provision sends a signal that the commissioner should not
hesitate to publicly disclose information if it is in the public interest to do
Third, the extension of the deadline to take a complaint to the Federal Court
is also much needed, given that the current system represents an unnecessary
barrier to potential pursuit of Federal Court review.
Let me turn to the three areas that I think are in need of improvement. The
first area is the security breach disclosure requirements that I know have been
much discussed already. These disclosure requirements are long overdue as I
think it creates incentives for organizations to better protect their
information and allows Canadians to take action to avoid risks such as identity
theft. There are aspects in this bill that are an improvement over the prior
bills, Bill C-12 and Bill C-29, most notably the inclusion of actual penalties
that are essential to create the necessary incentive for compliance. However,
there are problems with the standard for disclosure, some of which are left over
from the prior bills and some that are new to this bill.
From the prior bill, as you've heard, the standard for notification to
individuals is "a real risk of significant harm to the individual." I believe
that it should be lowered to capture more breaches. By comparison, the
California breach notification law requires disclosure of any breach of
unencrypted personal information that is reasonably believed to have been
acquired by an unauthorized person. In other words, the threshold is whether an
unauthorized person acquired the information, not whether there is a real risk
of significant harm.
In Europe, telecom breaches must be reported based on an "adverse effect to
personal data or privacy," a standard that I also think is better than what we
find in Bill S-4.
New to this bill is the removal of a two-stage process that involved, first,
informing the Privacy Commissioner and then the individual where circumstances
warrant it. I think this bill puzzlingly establishes the same standard, the
"real risk of significant harm" standard, for both notifying the commissioner
and the individuals. I believe this will mean that there will be no notification
of systemic security problems within an organization or technical standard
vulnerabilities that an organization may have identified. I repeat: Those kinds
of breaches would not be disclosed to anyone. The bill, of course, does require
organizations to maintain a record of all breaches, but only to disclose them if
the commissioner asks.
Why is this a problem? I think it is because it is likely to result in
significant underreporting of breaches since organizations will invariably err
on the side of non-reporting in borderline cases and the commissioner will be
unaware of the situation since there is no reporting requirement to that office.
I know that some have suggested that all breaches should be reported to the
commissioner. I know the commissioners thought that that would be too much.
There are some jurisdictions that require reporting of all breaches. For
example, a European Union regulation passed last year states that all personal
data breaches at telecom companies must be reported to the authority.
I believe, though, that the prior government bills, Bill C-12 and Bill C-29,
offered a better two-stage approach, so that we wouldn't capture everything but
we would capture more. The first notification would go to the Privacy
Commissioner and that would take place where there is "a material breach of
security safeguards." That is not all; that's where there is a material breach
of security safeguards. Whether that breach was material would depend upon the
sensitivity of the information, the number of individuals affected, and whether
there was a systemic problem. It didn't require a risk of significant harm. This
was the Conservatives' own bills in both Bill C-12 and 29. I thought the
two-stage process was far better since it ensured notifications first to the
commissioner for a wider range of breaches, including those that involved
systemic problems, and those aren't caught by Bill S-4.
I, therefore, recommend two changes to the provisions. First is the
California style standard for notifications to individuals. Second, the
government's own approach in C-12 and C-29 to notifying the commissioner as a
first step in some circumstances.
The second area for improvement involves the expansion of warrantless
disclosure, and I know you would have heard about this too. At a time when many
Canadians are concerned with voluntary warrantless disclosure, the bill expands
the possibility of warrantless disclosure to anyone, not just law enforcement,
featuring a provision that grants organizations the right to voluntarily
disclose personal information without the knowledge of the affected person and
without a court order to non-law enforcement organizations where they are
investigating a breach of an agreement, legal violation or the possibility of a
This broadly worded exception will allow companies to disclose personal
information to other companies or organizations without court approval. It runs
counter to recent Federal Court decisions that have sought to create clear
limits and oversight over such disclosures. Moreover, the disclosure itself is
kept secret from the affected individual who is unlikely to complain about it
because they're unaware that their information has been disclosed.
A House of Commons committee may have recommended a somewhat, although much
more narrow, similar reform in 2006. I should note that recommendation was
rejected at that time by both the Privacy Commissioner of Canada and the
Conservative government on that committee itself. The reform here is clear. The
provision opening the door to massive expansion of warrantless, non-notified,
voluntary disclosures should be removed from the bill.
Third, given the distinct lack of powers for the Privacy Commissioner of
Canada, I think the creation of compliance agreements is a step in the right
direction. But order-making power, or at least some form of direct regulatory
action, such as administrative and monetary penalties, is needed. The inability
to make well-founded findings stick without first navigating an inaccessible and
practical trip to the Federal Court has been an enormous source of frustration
for many Canadians, and I have heard from many of them.
The creation of compliance orders would have made sense had there been some
power to issue penalties or take regulatory action, as is the case in the United
States where compliance orders are commonly used. But without such a threat,
it's difficult to see why an organization would enter into a compliance
agreement. Avoiding the Federal Court is something you do when you fear you
might lose. That largely hasn't been the case under PIPEDA. Reforms are needed
to ensure that there are real penalties to ensure compliance.
Finally, let me conclude with the glaring omission. It comes back to the lack
of transparency disclosure and reporting requirements that are associated with
warrantless disclosure. The stunning revelations of over 1 million requests and
750,000 user account disclosures of personal information, the majority of which
are occurring without court oversight or warrant, points to an enormous
troubling weakness in Canada's privacy laws. Most Canadians have no awareness
that these disclosures are taking place, and I think many are shocked to learn
how frequently they are occurring and that bills before Parliament, including
this bill as well as Bill C-13, propose to expand their scope, in C-13's case by
creating immunity for those voluntary disclosures. In my view, this creates
victims of us all through disclosure of our personal information often without
our awareness or explicit consent.
I would recommend two reforms to address the issue. First, the law should
require organizations to publicly report on the number of disclosures they make
to law enforcement without knowledge or consent or without judicial warrant in
order to shed light on the frequency and use of this extraordinary exception.
The information I think should be disclosed in aggregate, so we are talking
generally, every ninety days, quarterly basis.
Secondly, organizations should be required to notify the affected individuals
within a reasonable time period, perhaps 60 days, unless doing so would affect
an active investigation.
The adoption of these two reforms, which I believe would be consistent with
what you heard from Mr. Therrien yesterday, who focused so much on transparency,
would be an important step forward in providing Canadians with greater
transparency and awareness about the use and disclosure of their personal
I welcome your questions.
Michael Crystal, Lawyer, Crystal and Associates, as an individual:
Thank you, Mr. Chairman and honourable senators, for the opportunity to speak to
you this evening about Bill S-4, the proposed Digital Privacy Act.
As a lawyer who spent the better part of 20 odd years arguing Charter issues
as a criminal lawyer and privacy lawyer and who most recently is engaged in
class actions involving the intentional unauthorized accessing of hospital
records in Ontario hospitals by employees who are subsequently fired for cause,
I am deeply troubled by several points of this bill, and I will enumerate them
Frankly, my concern is that these proposed amendments would have the effect
of transforming key privacy protection law into a law that instead authorizes,
encourages and immunizes, in some cases, violation of the privacy of Canadians.
Senators, we need only to look at today's Toronto Star. On the front
page of that paper there is a story about 8,300 new mothers who just gave birth
at the Rouge Valley hospital in Scarborough, Ontario. These individuals who gave
birth had their personal information sold by hospital employees. The basis for
the sale was for advertising.
As a lawyer, as an advocate, this is my daily reality. The phone rings. I
pick it up. A patient, whose only crime has been being a patient in a hospital,
has found out that their records were intentionally snooped and that someone has
had access to their records.
Let me now move to the more particular sections of the proposed legislation
that I take issue with. There are really only three areas, but the first and
foremost has to be section 7(10)(d.1). This allows for not only law
enforcement but now other organizations under certain circumstances to have
access to personal information; and clearly, as I say these words to you, I have
the morning headlines ringing loudly in my ears, which makes for probably a big
This section not only continues the unconscionable, and I believe potentially
unconstitutional, practice of allowing law enforcement authorities to have
warrantless access to personal information held by organizations. Even worse,
the proposed amendment would now allow non-law enforcement organizations,
including private sector businesses, to access, without any court authorization,
the personal information of Canadians that is held by other organizations.
Senators, in the biography of former Chief Justice Dickson there is a story
about the very first Charter case: Hunter v. Southam. Lawson Hunter, the
head of an administrative organization, not only had investigative powers but
quasi-judicial powers in that he could order a search without any type of
The story that is told in A Judge's Journey, the story of Chief
Justice Dickson, was this was brought under section 8 of the Charter, unlawful
search and seizure. It was the very first Charter case; it was 1983. The judges
had heard the story and the evidence. They were obviously reviewing the case. It
came to them by way of an injunction sought, and all nine judges were unanimous
that this evidence had to be excluded. The question was what was going to be the
Just by way of a bit of a story, and I don't mean to take up too much time,
they looked to Chief Justice Laskin who was still on the court but was too ill
to participate and unfortunately passed away before the decision, so Justice
Dickson was acting as the Chief Justice at the time for all intents and
He looked to the American Bill of Rights to see if that was the way to go,
but the American Bill of Rights spelled out exactly when a warrant was required.
So he went to the British common law, and he basically found that section 8
should have in it as a basis for these searches that it should be before an
independent, impartial person; that the search should have an objective basis;
and, first and foremost, that Canada is a nation that bases its law regarding
search and seizure on prior authorization, not ex-post facto validation.
This is currently the status of the law with regard to section 7(10)(d.1),
which now seeks to extend to organizations the opportunity to access this
information if there is a suspected breach of contract. I would submit to you
that this runs contrary to our fundamental constitutional ethos.
Let me move briefly now to the Telus decision, which is the most
recent decision on electronic searches. That dealt with text messages. I want to
read you a line from that because the court found that text messages required a
higher warrant than a general warrant. It required the same type of
authorization that we have for wiretapping. The court stated in finding that the
search was unconstitutional that technical differences inherent in new
technology should not determine the scope of protection afforded to private
Senators, I submit to you that the tail does not get to wag the dog. We are
talking about legislation that protects individual personal privacy. It is not
an opportunity for institutions to, without any type of prior authorization,
engage in the gathering and the taking of personal information.
I will move briefly to two proposed sections I have other concerns about. One
is 10.1, which deals with notification, both for the Privacy Commissioner and
for individuals in the case of a security breach.
Having represented individuals in a class action where sensitive medical
information was accessed without authorization by hospital employees, who were
subsequently fired for their conduct, I can advise that victims of such
invasions of privacy are often devastated and left wondering why them, what was
viewed and for what purpose.
Canadian citizens have the statutory right under our privacy law to be able
to trust the custodians of their personal information. If and when those
custodians fail to protect their information, the victims of data breaches must
be entitled to be notified forthwith. I would simply say there should be a zero
tolerance policy with regard to notifications, and I will not repeat any
arguments by my colleague Mr. Geist.
I will now move to my final concern, and that is section 10.1(6). The
proposed provision states that notice of a breach shall be given as soon as
feasible, and I'm not exactly sure what that means. It does remind me of the
case, with all deliberate speed, in American jurisprudence, and notice can be
delayed if there is a criminal investigation of the breach. My submission to you
is that the section ought to be struck on the basis that it is not justifiable
to expose individuals to the risk of suffering consequences from a privacy
breach of which they are left unaware, whether consequences in the form of
criminal activity or any other kind of detriment, while police continue their
I just want to touch on the jurisprudence. There is a decision by Justice
Moldaver, as he then was when he was on the Ontario Divisional Court. In the
case of Doe v. the Toronto Police Commissioner, it was a case where there
was a serial rapist. The police had profiled the case. They knew where this
rapist struck, and yet they didn't tell anyone because they felt if they told
anyone, they couldn't catch the criminal. Basically what happened is there were
further assaults. Those women sued and were successful.
This idea does not work. That thinking has been in place before, and
basically it leaves people having their bank accounts drained, their identity
stolen and basically left without a means of compensation. Again, we have to
think about the individual and the intention of the legislation.
We should never lose sight of the fact that privacy legislation exists to
protect the privacy rights of the individual, to protect their most personal and
precious information, and not to violate those rights nor immunize those
entities whose desire for expediency outweighs any respect they might have for
the privacy protections of the individual. Thank you.
The Chair: Since you are our last witness, the chair was a little bit
Mr. Crystal: Thank you. I do appreciate it.
Senator Mercer: We do appreciate enthusiasm and passion. Thank you,
gentlemen, for being here. I've asked this question of most of our witnesses
thus far. It is about reporting of breaches of information. Everybody is
required to keep records of the breaches, but they only get reported to the
Privacy Commissioner upon request. I am of the theory that somebody needs to
maintain a database of all of this. How do you feel about whether all breaches
need to be reported to the Privacy Commissioner, recognizing that, at the
beginning, there would be a fairly large influx of reports but, as it went on,
it would probably level out?
Mr. Geist: I must admit that I'm not sure that it would level out. I
think what we have seen if anything is that with the kinds of breaches that
occur, there is more and more collection of our data and these things seem to
As I suggested in my opening remarks, I think there is a middle ground here.
I think the approach we see in this bill, where it's essentially self-report
unless the commissioner asks, quite frankly, is unworkable. We can't possibly
ask the commissioner to go to every organization to identify the breaches that
have occurred on their watch. At the same time, I'm sensitive to the concerns
that reporting every breach, however innocuous some of them might be, probably
isn't the best use of time for the organization or the commissioner. That's why
I'll repeat, I thought the government got it exactly right in terms of the
two-stage process in its prior bills. I'm puzzled as to why that's removed. It
set a lower threshold. A broader range of breaches would be required to be
disclosed to the commissioner, that standard involving a material breach of
security safeguards, which encompasses more breaches, not all but more, and then
you get to the next stage. We can debate what the appropriate standard is, but
at some other standard where you then move on to notification to the affected
Senator Mercer: Mr. Geist, do you think it's right that private
citizens will not hear about the fact that their data has been delivered or
shared between two companies without their consent under this new legislation?
Mr. Geist: As I mentioned, this strikes me as one of the most
problematic elements of the bill. Quite frankly, it runs so directly counter
both to what the courts have had to say as well as where they tried to create
some limitations on this. Given what we have seen in some other legislation,
such as Bill C-13, on which I appeared before the Justice Committee last week, I
think it moves us towards a world in which we get large amounts beyond what we
already know, huge amounts, of warrantless disclosure, which strikes me as an
enormously problematic development.
Let me note that this is not just some academic concern. This strikes me as a
very real prospect for reality where there would be disclosures that would take
place that courts have tried to guard against. As an example, we saw a lawsuit
recently in Canada where a company wanted to identify 2,000 subscribers at an
Internet service provider. They went through the court system, and the courts
had concerns that there would be abuse of the court system in that lawsuit, so
they created strict limitations on the use of that information if disclosed by
the ISP, as well as oversight in terms of the communication that would exist
from the party that was looking to contact ultimately all of those subscribers
to ensure that there was not abuse of the court system there either. With this
provision, it would be open to that same litigant to go to that Internet
provider and say, "I would like this information on these 2,000 or 5,000
subscribers, or however many number of subscribers," and that Internet provider
would be entitled under this provision to simply disclose all of that with no
court oversight or limitations. It runs directly counter to what the Federal
Court has done and has the potential to scoop up hundreds of thousands of
Canadians in the process.
Senator Mercer: We heard about the 1.2 million requests for
information that have been made to telecommunications organizations in the
country and have been met, all warrantless. I understand no warrants were
attached to any of the requests. Then people come back and say it would be too
cumbersome to constantly notify these people that their private information has
been intentionally handed over without their consent. How do you feel about
Mr. Geist: If it's not too cumbersome to hand over the personal
information of all these subscribers, then surely it isn't too cumbersome to
notify them as well. I note that we don't know, and this is part of the problem,
if all of them are warrantless. There's reason to believe that the overwhelming
majority of them are. But that speaks to another problem that I tried to
highlight towards the end of my remarks: There is a complete lack of
transparency in terms of the kinds of approaches the telecom companies and other
organizations are taking with respect to our personal information. That speaks
to the need for both notification to the individuals, which would result in a
potential decrease in the number of those requests because people would think
more carefully when they ask for information knowing that subscribers will be
notified, and for these companies to engage in quarterly disclosures of the
disclosures that they are engaged in — transparency reports, as we find with
large telecom companies in the United States like AT&T and Verizon.
That information on the 1.2 million requests in 2011 from telecom companies
is 750,000 user accounts. That was aggregated information. The telecom companies
were not willing to go on the record individually about the kind of disclosures
they make. They said that they would disclose only if it was aggregated data.
All 11 companies were asked whether they notify subscribers about these
disclosures. Every single one said they do not.
The Chair: I want to be sure we keep the pace.
Senator Mercer: Mr. Crystal, can you clarify your story about the sale
of information on new mothers from a hospital in Scarborough? I want to be clear
that the sale of this information was made by individuals working for the
hospital and that the money that exchanged hands went to the individuals and
that it was not an enterprise initiated by hospital.
Mr. Crystal: Certainly not; but it's a breaking story. We spoke to the
journalist who wrote the story, and that's my understanding.
Senator Mercer: Thank you very much.
Senator Plett: And I thought I would get my question in before Senator
Mercer asked it. With his last question, he does it to me again. I go to great
lengths trying not to read The Toronto Star, so I would never have read
I want to clarify that the story has nothing to do with this bill. That's a
clear criminal act of somebody selling private information; and you've got a
class action lawsuit. I'm sure you are arguing that somebody did something
Mr. Crystal: I'm not involved in that case. That story was in today's
Senator Plett: As I said, I don't read The Toronto Star.
Mr. Crystal: One of the first questions I was asked today, and I think
it was by the journalist, was: Do you think there will be criminal charges?
There are provisions in the Criminal Code for this type of activity; but I don't
know what the police will do about it. I know that sometimes when I go out and
speak to people whose information has been unlawfully accessed, people who are
patients, I sometimes feel like a politician going out and speaking to
constituents because there are large groups of people that I speak to at one
In response to the question about certain breaches not being reported or
needing to be reported, it's like having certain small crimes that don't need to
be reported. These people, Canadian citizens, who find that someone has looked
at their medical information are heartbroken. They are devastated. Why? Because
it's out of the blue. It's a technology they don't understand. It's done by an
individual they don't know. It's very difficult for them to comprehend.
I understand that we are trying to deal with the economics of information
management and what works and doesn't work. From ground zero, the person who has
had the data breach happen to them, there is zero tolerance. The right to be
notified is something that everyone, no matter to whom I speak, seems to feel
very strongly about.
Senator Plett: Thank you.
On clause 10.1(6), I want to be clear here. Are you concerned about parts of
that clause or the entire clause? What if the clause read "immediately upon
realizing that there is a breach" instead of "as soon as feasible"? If the part
about the delayed notification were taken out, would that become a better
Mr. Crystal: Senator Plett, let me start off by saying that the civil
courts in that particular case found that this was unacceptable police conduct.
The point is that there is no justification from the point of view of protection
privacy of the individual not to tell them that their bank account is being
drained or that their name or identity is being traded for misuse.
It would seem to me that there may be some movement towards bringing this
before a judicial officer to determine whether the person should be told, but
this can be cumbersome. I simply say to you that we have seen in the Canadian
courts that this position is not tenable. It is not tenable to make the
trade-off of an investigation versus notification.
Senator Plett: It's only the bottom part of that clause that you're
Mr. Crystal: I'm concerned about holding off on notification.
Senator Plett: If it said "notification shall be given forthwith after
the organization determines that the breach has occurred . . . ", end of clause.
Mr. Crystal: Yes.
Senator Plett: That would be acceptable to you?
Mr. Crystal: Yes.
Senator Merchant: Collecting all this information is very worrisome. I
was reading something this morning that reminded me of the fight we had over the
long-form census. We were objecting to collecting information on people, and
that was with their consent. Now we're turning around and doing completely the
We are collecting all sorts of information on people without their knowledge.
I find this very troublesome.
The previous witness from the Office of the Privacy Commissioner of Canada, I
had raised the example of wiretapping and that we have to report that to the
individual after 90 days. Mr. Geist, I believe you suggested 60 days. That has
to be changed. You cannot keep this information and not notify people
indefinitely. I don't know if you need to say anything else about that.
Mr. Crystal: In this case, 60 days is just a number. I'm not fussed
about it. This was discussed actually at the Commons Justice Committee when I
appeared on Bill C-13. There were some on both the government side and from the
NDP who expressed the concern: What if this disclosure effectively impeded or
harmed an active investigation? It should be made clear that there is no intent
to do that. The time period in terms of mandating notification, must surely
account to presumably allow for that investigation to run its course or, if it
still has not, to give law enforcement the ability to obtain a gag order from a
court to ensure that the notification is delayed.
Here there is a clear middle ground that will allow for notifications of the
individuals, while at the same time not in any serious way impede the work of
law enforcement as necessary. Of course, the provision that has been much
discussed already before committee expands this potential warrantless disclosure
without notification even beyond law enforcement as well. Let's not lose sight
of time in this matter.
The amount of time it takes to drain people's financial accounts, whatever it
is, is very short. What we may say is reasonable in terms of wiretap, you have
to realize that law enforcement has gone before a judicial officer and has
convinced them that there is a crime being committed.
You were talking about people who have been the victims of a crime, and we
are talking about holding off and reporting them while their finances are
drained and there is no compensation for them. They have no way, depending on
the financial institution, of getting that money back. They just have to be good
sports about a valid police investigation.
And, heck, what happens if the investigation turns up nothing or it was the
wrong investigation? Well, we have people who have their life savings taken
away, their identity stolen, which takes eons to get back, and they are left
without a remedy. If they go to court there is no redress because the
legislation immunizes law enforcement from anything; so it is just tough luck,
sorry you got caught in the net. People are putting their personal information
in the hands of custodians whose role it is to protect that information, and
they should not have to bear any of the costs from accidents, negligence or
anything that results in that.
I tell you, I feel like a grassroots politician sometimes when I go off to
Peterborough or Sault Ste. Marie and I say —
Senator Plett: Maybe we have a riding for you.
Mr. Crystal: No further comment.
The Chair: We can negotiate on that, but I am not involved in a
political party so I cannot participate in this negotiation.
Senator Merchant: The fact that people really do mind having all this
information collected, we see that in polling that people do not want to have
information collected. I was thinking that quite frequently governments abuse
power. They think that they are doing something good, but an example would be
9/11 and all the warrantless, extended powers that were exercised. I think the
information that was collected, the indication is that over 90 per cent of that
was not used for terrorism and those applications. That is worrisome, too. Do
you have any comments about that?
Mr. Crystal: I will simply say this: There are times, such as 9/11,
during World War II, with the way that certain political parties or people of
Japanese origin were treated that sometimes dictate the way we legislate the
type of laws that come into place.
One should never lose sight of the fact that when we talk about technology,
we are talking about individuals who have trusted their personal information to
the government, which they have faith in, and to other institutions, with banks
and insurance companies.
My simple submission is: Do not lose sight of the fact that while there may
be various privacy stakeholders, the individual is the majority stakeholder. If
you use that as your guiding principle, Bill S-4 can be tailored, because there
are good things about it, as Professor Geist referred to. If you use that as the
guiding principle then the individual will benefit from this legislation. I am
not here to trash the legislation holus-bolus; I have just come to raise a
The Chair: Next week, on Tuesday, we will be going to clause-by-clause
of Bill S-4; on Wednesday we will hear form Tony Manera, former president of
CBC, who will testify on our study on CBC.