Proceedings of the Standing Senate Committee on
Transport and Communications

Issue 7 - Evidence, June 4, 2014


OTTAWA, Wednesday, June 4, 2014

The Standing Senate Committee on Transport and Communications, to which was referred Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act, met this day at 6:45 p.m. to give consideration to the bill.

Senator Dennis Dawson (Chair) in the chair.

[English]

The Chair: Honourable senators, this evening we continue our review of Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act. It is also known by its short title, the digital privacy act. The witnesses for our first panel are from the orphaned — for the next few days — Office of the Privacy Commissioner of Canada. We have before us Patricia Kosseim, Senior General Counsel and Director General; and Carman Baggaley, Senior Strategic Policy Advisor. I will ask you to make your presentation, after which senators will have questions.

[Translation]

Patricia Kosseim, Senior General Counsel and Director General, Office of the Privacy Commissioner of Canada: Thank you, Mr. Chair and members of the committee, for having invited us to discuss Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act.

Joining me today is Mr. Carman Baggaley, Senior Policy Analyst.

As you know, the office is in a period of transition. We cannot speak on behalf of the soon-to-be-appointed commissioner. But as you have asked us to appear today we will be presenting our views as they have evolved after more than 10 years' experience applying the act under the leadership of Commissioner Jennifer Stoddart, and more recently, Interim Commissioner Chantal Bernier.

[English]

Let me begin by saying we are very pleased the government has introduced legislation to update PIPEDA. This is the third such bill that has been introduced, and we hope that Bill S-4 will, in fact, result in legislation.

We have provided the committee with a detailed written submission on Bill S-4, but given the time we have today, we will limit our comments to the more noteworthy amendments.

We believe Bill S-4 will strengthen privacy protections for Canadians in their dealings with private-sector companies and build consumer trust in the digital economy. In particular, we welcome the proposals to introduce mandatory breach notification and voluntary compliance agreements.

Let me turn to those two to begin with. Requiring notification of breaches that pose a "real risk of significant harm" will bring PIPEDA in line with notification laws of many other jurisdictions. The notification proposals in Bill S-4 strike a reasonable balance, in our view.

Furthermore, requiring organizations to keep and maintain a record of every breach and provide our office with a copy of such record on request are important accountability mechanisms that will allow our office to evaluate compliance with the notification provisions and assess how organizations are making the determination whether to notify.

The proposed compliance agreements are an innovative way of encouraging organizations to work with our office to improve their practices while providing our office with a recourse mechanism to ensure that companies follow through on their commitments they make pursuant to our investigations.

The proposal to extend the window for filing applications in the Federal Court from 45 days to one year gives all parties more flexibility to resolve complex issues within a more realistic time frame.

We are also pleased by the proposed amendments to clarify the requirements for valid consent, and by the proposal to broaden the scope of information the commissioner can disclose in the public interest.

The proposed amendments to allow disclosure to communicate with the next of kin or to identify an injured, ill or deceased person serve important compassionate and humanitarian purposes.

The proposal to allow disclosures to facilitate business transactions addresses a gap that has become apparent since PIPEDA was passed, and the safeguards built into these provisions should minimize the risk of abuse, in our view.

We do, however, have some reservations about two new proposed paragraphs: 7(3)(d.1) and (d.2), which would allow an organization to disclose personal information to another organization without consent in certain circumstances. We are concerned that these two amendments could lead to excessive disclosures that would be invisible both to the individuals concerned and to our office. In our submission, we suggest some ways to minimize the risk of over-disclosing, and we urge the committee to consider ways to require organizations to be more transparent about these disclosures.

[Translation]

Lastly, we also believe more transparency as required around disclosures under paragraph 7(3)(c.1). This paragraph allows organizations to disclose personal information without consent to government institutions with lawful authority to request information it suspects relates to national security, or for certain purposes, including law enforcement.

We recommend that, at a minimum, organizations should be required to keep a record of these warrantless disclosures, and make this data publicly available in aggregate form, as some American-based organizations currently do.

Thank you. We would be pleased to answer any questions you may have.

[English]

The Chair: Thank you for your presence. We know, under the circumstances, that you are in an awkward situation, but we are glad that you could join us.

Senator Mercer: Again, thank you for coming here. As Senator Dawson said, we appreciate it, particularly under the current circumstances.

Your last point with respect to 7(3)(c.1) and allowing organizations to disclose personal information without consent to government institutions, we have heard in the last couple of weeks of the dramatic number of requests that were made. The acting commissioner released that to the public. I think Canadians are surprised, shocked and probably concerned that this has happened.

It seems to me that we need to find a way that protects Canadians. We understand there is a need for that information to flow to certain government agencies so that they can do their work properly. But at some point, if government agencies request information on Canadians and it is not in line with a criminal investigation, then don't you think that Canadians deserve to know that a request was made for their personal information?

Ms. Kosseim: Thank you for that question. The figure that was disclosed recently through an ATIP request on the number of requests that were made to telecommunications companies was indeed a large number. A subset of those requests was actually responded to. That is the first point of importance to make.

We think that, indeed, greater transparency around the number of requests that are made, the number of times disclosures are denied or pushed back, the number of disclosures that are made, the types of information requested, whether or not they were done with a warrant, subpoena or court order, those are the kinds of aggregate data that we believe should be reported on by companies, as many U.S. companies do, certainly through transparency reports, and we think that would be a good thing to have here as well.

Senator Mercer: If I recall the data that were released, none of the requests were attached to a warrant. I think what is more shocking than the number of requests is that no warrants were attached to these requests. Big Brother is watching here, but most of us want to make sure that Big Brother, if he or she is watching, has to respect our right to privacy and liberty under the Charter of Rights and Freedoms as well.

How do we tighten this up without limiting the need for law enforcement agencies and government enforcement agencies to have access to this? Is there a way we can tighten it up without hindering that important role that government agencies play?

Ms. Kosseim: There are a couple of ways. First, the parameters of what can be disclosed under 7(3)(c.1) is presently a question before the Supreme Court of Canada. We expect a decision fairly soon, and so we will have guidance in terms of what can be requested in cases without a warrant and what are the parameters around lawful authorities. I think that will be helpful for everyone in interpreting and applying provision 7(3)(c.1).

The transparency reports that we call for and we hope will be adopted as a practice in Canada, as it's done in the U.S., certainly is a mechanism for enhancing accountability and giving the telecommunications companies or other companies the courage to ask some tough questions, do their due diligence, ask for the source of lawful authority, question the requests and, in some cases, if they find it is legitimate, give the information, as it is their discretion to do so. But other times, they have the right to push back and to hold back the information. I think the accountability or the transparency reports will give us a better sense of what the current practice is, and in how many instances and what types of requests have been made, and what were the responses. I think that is a very important mechanism for ensuring, at the very least, greater accountability and transparency.

Senator Mercer: Perhaps we have put the cart before the horse here. We are debating this legislation while there is a ruling anticipated from the Supreme Court of Canada that may affect a very important part of this bill. I guess the good news is that it will not pass in the House of Commons. Even if it passes the Senate, it will not pass in the House of Commons before the summer break so that the Supreme Court of Canada ruling could take effect.

My last question is with regard to the issue of a record of every breach of privacy. The Privacy Commissioner will have access to that only on request. I have asked this question before, but not of people in your position.

It would seem to me that it would be beneficial to the Privacy Commissioner to see all the breaches — not necessarily investigate all breaches — to see what the trends are. If there are trends happening in a particular mode, device or industry, or a particular type of breach, it would be beneficial for the Privacy Commissioner to see those trends, and you can't see those trends if you are only looking at reports that you get on request.

Do you not think that you should be looking at all breaches? When I say "looking at," I don't necessarily mean examining each one individually, but at least have a record of them in-house so that if you need to respond to and analyze trends, you have the data in-house.

Ms. Kosseim: I think "on request" probably does strike the right balance; otherwise we would expect to be flooded by a lot of breach reports. I think "on request" allows us to make the request of individual organizations in the context of a breach or a complaint investigation, but it also allows us to ask several organizations, in the case of an audit of the industry or the sector, for instance. As long as we can request this information when we need it in order to carry out our investigations and our audits, we think that strikes a reasonable balance and is probably just the right measure of information that we would probably need when we would need it.

[Translation]

Senator Verner: My first question concerns the communication of information between two private organizations. Some witnesses who appeared before our committee expressed concern about possible abuses.

We understand clearly that the exchange of information between two private organizations could be used, in particular, to prevent fraud and insurance-related financial problems. We understand that sensitive data on the health of individuals could also be disclosed.

In order to balance expectations, that is the need of private sector enterprises to exchange information, and the need of consumers to have their rights protected, if Bill S-4 becomes law, will you have the necessary regulatory powers or administrative mechanisms to monitor all of this and achieve a balance?

Ms. Kosseim: Thank you for the question. It is an excellent question and, in fact, you will see in our brief that we express concerns with regard to that provision. However, we also have some suggestions to make to achieve that balance. For instance, we suggest that, at a minimum, you seriously review the provision that would allow that exchange in the name of preventing fraud. We understand that when there is documented fraud, it has to be examined or stopped, but to act to prevent fraud leaves the door wide open to a type or surveillance or monitoring and exchange of information, when there is neither need nor justification. In our opinion, preventing fraud is a wide open door, and we suggest that the text be tightened somewhat by eliminating that part of the proposed provision.

Secondly, we recommend that the threshold of "reasonableness" be raised to necessity. One again, if disclosure can only take place when it is necessary and not when it is simply reasonable, this would be one way of tightening up disclosure between organizations.

Thirdly, and in the same vein as our comments on this issue, regarding paragraph 7(3)(c.1), we believe more transparency is required around these disclosures, and for the same reasons, we suggest that there be at least a registry where organizations keep a record of cases where they share information with other organizations, and the reasons for these disclosures, in the interest of fostering greater transparency and accountability.

Finally, if the provision comes into force, we would like it to be interpreted in a narrow way. We would expect organizations to show due diligence and review any request made by another organization to determine if the information is really necessary, if all of the information is necessary, or perhaps less of it, and if the disclosure will really put an end to a case of fraud. All of these questions have to be raised, and requests studied on a case-by-case basis, so as to avoid the exchange of information between organizations without accountability. Those are our suggestions to you concerning those two provisions.

Senator Verner: Regarding the registry, the Canadian Bar Association and the Credit Union Central of Canada expressed concerns about the administrative burden and additional costs that would be created by a registry on violations of privacy, and the mandatory reporting of situations to the Office of the Privacy Commissioner. Among other things, they were particularly concerned about the financial burden this could place on very small businesses.

Do you think these fears are justified? Are you in a position, at the Office of the Commissioner, to evaluate the financial impact of keeping a registry of this type, particularly on small businesses?

Ms. Kosseim: I must say that we have no concerns in that regard. In our opinion, creating a registry would be the minimum an organization could do to document violations of privacy. As we say, we cannot evaluate what we do not measure. So if no violations of privacy are recorded, how can businesses self-assess to see if they are improving, if they have closed loopholes, or met needs, or tightened their security measures?

That is the first step they must take to see what is happening, to set out the facts for their supervisors, and to make sure discussions regarding violations of privacy reach the highest echelons of the company.

Senator Verner: When Minister Moore appeared before the committee, I asked him, in light of the fact that he will be entrusted with an important new duty and responsibility involving the Office of the Commissioner, if the office would have sufficient funds and resources to assume this role following the adoption of Bill S-4. He replied that the interim commissioner was favorable to the bill, as you said, and that she had not requested new funds for its implementation. Would that be your opinion as well?

Ms. Kosseim: Once again, thank you for this very relevant question. We discussed resources with Industry Canada personnel and shared our concerns in this regard, all the more so since this past year we have experienced an increased rate of reports from the private and public sectors. To give you some idea, reporting has been mandatory in the public sector for a month now, that is to say since the Treasury Board directive was issued. In the space of a month, there has been a 239 per cent increase in the number of reports, as compared to the same period last year.

So it is fair to say that we can expect a heavier workload. All of the reports will not, of course, lead to investigations, but nevertheless, there will be considerable work to do to sort and assess the information, and to speak to the companies concerned; we will do our best with what we have. However, it is clear that there will be an impact on resources.

[English]

Senator Merchant: I have a further observation on permitting the disclosure of an individual's personal information without their knowledge or consent in certain limited circumstances. Then why not notify people? For instance, with wiretapping, I think you notify 90 days later. This way, you almost have the public monitoring what is happening. If you get a lot of complaints, then you know there is a problem there. Why not have something similar on this occasion?

Ms. Kosseim: Thank you for the question. There are some provisions that require notification, even when there is a consent exemption explicitly. But as a fallback, there is still the important principle of openness and transparency, where we would expect organizations to be transparent about potential collections, uses and disclosures without consent upfront with their customers.

So there is both explicit reference in some instances, as well as the general principle of openness and transparency.

I will ask my colleague to specify or add anything.

Carman Baggaley, Senior Strategic Policy Advisor, Office of the Privacy Commissioner of Canada: I think the wiretap example is a useful analogy. That's a provision that has been in the Criminal Code for many years, and law enforcement seems to be able to live with the knowledge that the wiretap will be released after a certain point if it's not used for the purpose of an investigation. I think that's a useful model where we could look at ways of trying to build in some mechanism to ensure that some of these disclosures will be made public in certain circumstances. Certainly not where it's in the midst of an investigation or in the midst of some concern with anti-terrorism or something else, but there should be a mechanism to allow disclosure that's not there now.

The Chair: Thank you very much for your presentation. We understand the circumstances. We appreciate your coming before us and we hope that you will be blessed by a good Privacy Commissioner.

We are continuing our review of Bill S-4. We have a panel from the Marketing Research and Intelligence Association and from the Canadian Marketing Association.

From the Marketing Research and Intelligence Association, we have Kara Mitchelmore, Chief Executive Officer; and Annie Pettit, Chair of Publications. From the Canadian Marketing Association, we have Wally Hill, Senior Vice-President Government and Consumer Affairs; and David Elder, Special Digital Privacy Counsel and Counsel at Stikeman Elliott LLP.

We will be hearing from the Marketing Research and Intelligence Association.

Kara Mitchelmore, Chief Executive Officer, Marketing Research and Intelligence Association: I'm with the Marketing Research and Intelligence Association, MRIA. I'm here with Dr. Annie Pettit, who, among other hats she wears, is MRIA's chair of publications.

First, thank you for inviting us to speak to you on Bill S-4, the digital privacy act.

The MRIA is a national self-regulatory association representing all sectors of the Canadian marketing research industry. Our members include over 1,500 individual research professionals and nearly 350 research agencies, as well as buyers of research services such as financial institutions, major retailers, insurance companies, telecommunications firms and manufacturers.

MRIA has always been supportive of PIPEDA. Our members devote a significant amount of time and effort to protecting our good relationship with the public, including taking steps to respect a person's right to privacy. We believe that PIPEDA has been effective and has led to considerable positive change in the way businesses operate in Canada.

We're here today to offer our general, but reserved, support for Bill S-4. We believe that a number of provisions in Bill S-4 are a step in the right direction, as they address gaps that exist in Canada's privacy framework. Paradoxically, we caution that other proposals in Bill S-4 would diminish privacy rights in Canada.

We're going to offer comments on five specific issues. Our support or concerns are limited to those five issues, which are outlined in greater detail in a brief we submitted to Mr. Charbonneau.

First, a brief notification: More than ever, organizations can amass significant amounts of data about individuals. Unfortunately, we are reading more and more about major breaches involving thousands and millions of individuals. Canadians must be made aware of these breaches so they can protect themselves.

As such, MRIA supports the mandatory breach notification requirement. We consider this to be the most important and positive proposal contained in the bill. With easy access to big data and unprecedented identity theft, it is no longer sufficient that notification of a breach be a moral obligation — it must be a legal one.

There is a caveat, however. We recommend that the bill be amended to state that the Privacy Commissioner is responsible for determining whether a breach creates a real risk of significant harm to an individual. Having this determination rest with an organization where a breach has occurred creates a potential conflict of interest with too much subjectivity. We see this unbiased assessment role as a natural extension of the commissioner's mandate, and it would result in a more objective assessment of whether significant harm has been created.

We also propose that organizations responsible for breaches should be required by law to offer free credit monitoring for a one-year period to those affected as an added measure to protect them from identity theft.

Second, valid consent: MRIA fully supports the provisions in Bill S-4 which provide added clarity for organizations when they seek the valid consent of an individual. We believe that specifying the elements of valid consent will go a long way to protecting the most vulnerable Canadians, such as seniors and children.

Regarding the issue of consent by minors, this committee might be interested in MRIA's Code of Conduct and Good Practice, which contains a section on the ethical issues involved with interviewing children and young people, and the special care and precautions required on the part of the researcher. For brevity's sake, an excerpt of our code of conduct is included in your brief.

Third, prospective business transactions: We are pleased that the government recognizes the need to amend PIPEDA to allow the transfer of personal information from an organization to a prospective purchaser or business partner.

I won't go into details, but we are supportive of this provision. Annie will now finish our comments.

Annie Pettit, Chair of Publications, Marketing Research and Intelligence Association: Fourth, sharing of information between organizations: MRIA does not support the clauses in Bill S-4 which permit organizations to disclose personal information of individuals, without consent, to another organization, even for worthwhile purposes such as investigating a breach of an agreement or an alleged fraud.

Disclosure between organizations without consent should continue to require the oversight of a legal body, such as a court order or other due process of law.

While loosening the privacy laws might simplify investigations for organizations into possible breaches of fraud, MRIA believes such an allowance would go against the foundation that PIPEDA was built on; namely, that safeguards must protect the personal information of Canadians unless warranted by justifiable circumstances.

We believe this proposed clause could be used as a loophole, allowing organizations outside of government or law to circumvent legal due process. This would create an environment ripe for abuse. Similar to what Kara stated, there is too much subjectivity at play to allow organizations to make the proper determination as to whether consent is required. The guidance and oversight of a neutral and authoritative body, such as the courts, is required to avoid creating conflicts of interest.

Fifth is the sharing of information between government institutions and organizations. We also wish to comment on an existing provision within PIPEDA that allows organizations to share without consent personal information with an investigative body or government institution.

We aren't experts in legal investigations or issues of national security. We are, however, alarmed by media articles reporting that in 2011, government agencies made 1.2 million requests, without warrants, to telecom companies to disclose information of hundreds of thousands of customers.

We believe that when PIPEDA was first adopted, legislators intended to strike a balance between the need to protect personal information and the need for authorities to access personal data in specific circumstances. It seems unthinkable that legislators would have foreseen such alarming rates of circumventing the need for a warrant.

Rather, we believe that these provisions are being used as a loophole to avoid due process. We therefore urge this committee to use this opportunity to close what we consider to be a loophole by proposing new provisions in PIPEDA that more clearly outline the parameters that government institutions must follow when requesting personal information without consent.

To conclude, market and survey research play a pivotal role in our society by giving voices to the opinions of Canadians and helping to influence and improve public policy decisions. We must protect the public goodwill that exists for marketing researchers. As disciplined as researchers are in respecting privacy rights, the actions of other industries have at times damaged the relationship we have with Canadians.

PIPEDA was highly effective in raising the privacy bar. We believe that some of the proposals in Bill S-4 will make PIPEDA even more effective. All other provisions that might weaken privacy rights should be removed from the bill.

MRIA is a champion for an enhanced privacy framework in Canada, and we appreciate this opportunity to make some suggestions on how this committee can achieve that.

The Chair: Thank you. I will ask Mr. Hill and Mr. Elder to make their statements, and we will go to questions from the senators.

Wally Hill, Senior Vice-President Government and Consumer Affairs, Canadian Marketing Association: Thank you to the committee for the invitation to appear before you today to comment on the digital privacy act, or Bill S-4.

The Canadian Marketing Association, or CMA, is the largest marketing and advertising association in Canada, with roughly 800 corporate members, embracing Canada's major business sectors and all marketing disciplines, channels and technologies. The CMA is the national voice for the Canadian marketing community, and our advocacy efforts are designed to create an environment in which ethical marketing can succeed.

CMA has been at the forefront of the Canadian privacy landscape for many years. Since the early 1990s, the association has had a mandatory code of ethics and standards of practice that has included privacy protection principles. In 1995, the association was the first business association to publicly call for national privacy legislation in order to better establish the basic principles for the protection of personal information.

The CMA code is recognized as the self-regulatory road map for Canada's marketing community, and it is viewed by many governments and regulatory bodies as the benchmark for ethical marketing and effective industry self-regulation.

With the increasing collection, use and storage of personal information, CMA remains convinced that effective privacy legislation is crucial for a healthy marketplace. It establishes clear parameters for good business practices and, as articulated in the preamble of PIPEDA, the law was designed to protect personal information and thereby promote electronic commerce, which we all know is an increasingly important component of the Canadian economy.

A recent BrandSpark International study sponsored by CMA revealed that 52 per cent of Canadian consumers remain uncomfortable with companies collecting their personal data online. CMA beliefs that many of the provisions in Bill S-4 will help to increase consumer confidence in electronic commerce by strengthening the existing privacy protection framework.

With a few minor caveats, CMA supports the government's effort and this bill to update Canada's private-sector privacy law. During the first review of PIPEDA in 2006-07, CMA encouraged the Privacy Commissioner to develop national breach notification guidelines, which were developed and issued in 2007. The government's subsequent consultations with stakeholder groups then resulted in a set of breach provisions that have now been included in Bill S-4. Our organization continues to support those changes.

However, we would urge senators and members of Parliament to consider amendments that would clarify and improve certain provisions. To that end, I will focus my remaining comments on four key provisions in Bill S-4.

One of the bill's provisions, clause 10.3, requires that organizations "keep and maintain a record of every breach of security safeguards involving personal information under its control." The notification requirements are a logical improvement to PIPEDA, but we believe the legislation should be amended to clarify the scope and the duration of these requirements. Bill S-4 requires organizations store all those records of breaches indefinitely. The legislation as currently drafted needs to be considered in light of the challenges that this would pose for all organizations.

It would be helpful if the legislation were to identify the purpose for the retention of records to serve as a guide for regulations that will inevitably be drawn up to prescribe what information needs to be retained and under what circumstances.

Of greatest concern is the fact that Bill S-4 does not indicate the length of time for which breach information should be kept. It is unreasonable and, in fact, contrary to good privacy practices to expect companies to keep such personal information for an indefinite period of time. Therefore, CMA believes that the data breach retention period should be clearly established in the law, and we would recommend that a reasonable retention period for breach-related records would be two years.

Proposed subsection 17.1 would give the Privacy Commissioner the power to enter into compliance agreements with organizations. CMA supports that initiative. We understand that the agreements are voluntary, so organizations will have a choice as to whether they wish to enter into an agreement with the commissioner. We believe that's entirely consistent with Canada's successful ombudsman model for privacy protection and regulation.

However, we're again concerned about the potential for unintended growth in the scope of these agreements, and we would like to see an amendment that would ensure that such compliance agreements will be consistent with the objectives and jurisdictional confines of the current powers of the Privacy Commissioner.

Proposed subsection 20(2) states:

The Commissioner may, if the Commissioner considers that it is in the public interest to do so, make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties. . . .

While we appreciate the need for the commissioner to provide useful and appropriate information to consumers, we are concerned that the language proposed is again overly broad. We would like to see the wording adjusted to ensure that commercially confidential information is protected. We understand the motivation is to allow the commissioner to report information relating to compliance agreements to the public on a need-to-know basis, but we're concerned that excessive disclosure of case-related information to the public could undermine the ombudsman model by casting a chill on the working relationships between the Office of the Privacy Commissioner of Canada and the organizations it regulates.

Last, I would like to discuss proposed section 6.1, which further elaborates on the definition of what it means to obtain valid consent.

Based on previous discussions in the Senate, in this committee and in other government settings, it has been clearly stated that this clause is designed to protect certain groups, particularly minors, groups that may have difficulty understanding privacy and related consent language. The CMA strongly agrees with this effort. Our own code of ethics has contained special provisions about collecting the personal information of children and teens for many years now.

However, once again, this clause can be interpreted broadly and could lead to a broad reinterpretation of the consent requirements that have been established through PIPEDA over the past decade or so. CMA would like to see this particular provision better defined to make it clear that minors or other vulnerable groups are the intended focus of the section perhaps by amending it so that it applies to "the consent of individuals belonging to classes of persons who are especially vulnerable," which is, in fact, the wording used for similar purposes in section 52 of the Competition Act.

To conclude, Canadian marketers and CMA fully recognize that consumer confidence is of paramount importance and that privacy protection is a key element of that. Simply put, CMA and responsible marketers know that respect for personal information is good for business, and that is whether it's online or in the bricks-and-mortar world.

We thank the committee for its attention and will be pleased to answer any questions.

The Chair: Thank you very much, Mr. Hill.

Senator Mercer: Thank you all for being here; I appreciate your time.

Ms. Mitchelmore, in your presentation, you, like many others, have talked about the Office of the Privacy Commissioner of Canada being appointed the body responsible for determining whether a particular breach creates a real risk of significant harm to an individual. How do you define "real risk"?

Ms. Mitchelmore: Thank you for the question. It is an interesting question because that is what this whole conversation is about. MRIA's opinion is there is so much subjectivity in what would constitute substantial harm that organizations cannot be put in a position where they are making this breach decision by themselves. This has to be something that is clearly articulated and outlined in any legislation that we bring forward.

They don't have the expertise. It cannot be realistically assumed that an organization will be compliant. This is why we feel that it is not in the best interests of the Canadian public to put it in the hands of the organizations to define what actually constitutes harmful or mistrust or a real risk of identity theft.

Senator Mercer: You further go on in number four of your presentation on page 3 talking about the sharing of information between organizations. This is a particular part of this bill that I am concerned with, and I noticed that you indicate you don't support it, either. You go on to say that "we" — meaning you — "do not believe that PIPEDA should be used by organizations that are outside of government or law authority to circumvent legal due process."

Can you give us an example of how that might manifest into someone actually doing this?

Ms. Mitchelmore: That is a very good question. Thank you.

When we were discussing this and what our opinion was based on the sharing of information outside of government or law enforcement, it became an area that we felt could be manipulated. While there are some instances when you have the banking institutions that will come and talk about senior fraud and how this could help eliminate some of the senior fraud issues if we were able to share information that was outside of a warrant, we were of the belief at MRIA that for information that is that sensitive and with the ability to link up digital information in order to get additional personal information about individuals, we felt it was a highly contentious issue for us to allow organizations to be able to share that level of information. I will ask Annie if she wants to add anything else to that.

Ms. Pettit: Sure. Fortunately, the kind of work the MRIA does means that we are somewhat less at risk in this area. A financial or health institution holds a lot more sensitive information. In our case, there may be email addresses or home addresses, but there are far fewer instances where we might have data that could be harmful if shared. Although on occasion, that sort of thing could happen.

We are lucky in this instance, but we still strongly believe that if there is a warrantable cause for seeing this kind of information, if it is justifiable, then it logically leads to the next stage so that a court order would be the due process required.

Senator Mercer: Thank you very much. Mr. Hill, you commented on how long data breach records should be kept. You recommended two years. I have been of the opinion that all data breaches should be reported to the Privacy Commissioner, and if everything is reported to the Privacy Commissioner, then they can determine how long the records are kept and/or stored offsite.

I am concerned that if you only store things for two years, you may not be able to determine and detect trends that are emerging in data breaches that happen because it may take some time, although in today's age, things happen rather quickly. Trends sometimes take a while, and I think not keeping records for more than two years is not right.

Would you endorse the concept of reporting all data breaches to the Privacy Commissioner and allowing the Privacy Commissioner to make that determination?

Mr. Hill: I don't think I would endorse that approach. I would share the concern that I think has been articulated by the Privacy Commissioner's office, that they are concerned about being flooded with minor cases of minor breaches that are not a concern, and they want to address those breach incidents that pose a risk to consumers. So I would share the concern that you would potentially be overwhelming that organization with notifications.

Senator Mercer: I would contend that a minor breach today, undisciplined or unmanaged, could lead to more serious breaches later. I will pass now. Thank you very much.

Senator Plett: My biggest concern is that I am starting more and more to think like Senator Mercer does in that he asks my questions before I get to them, and that is a real concern to me, chair.

My question is also related around the significant risk, and it was going to be my exact question: How do you determine significant risk? You have answered that, but I want to continue along that vein.

When I read 10.1(1), it states:

An organization shall report to the commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.

You then go on to talk about section 10.1(8):

The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include:

(a) the sensitivity of the personal information involved in the breach;

(b) the probability that the personal information has been used, is being or will be misused; and

(c) any other prescribed factor.

Then when we continue on, we find fines up to $100,000 per failure to notify.

You are suggesting that we make the Privacy Commissioner the sole person responsible. That would take the onus off of me, in my opinion, if I'm the organization, because now the commissioner will determine that I have no more responsibility. I think I have more of a responsibility if the onus is on me to report any breaches because if I don't and I am found guilty, I will be fined $100,000 per offence. Yet, in your presentation you say "a further protection" and you think it is more of a protection to put the Privacy Commissioner entirely in charge.

Please elaborate on where you get that because I think you're doing the opposite if that amendment were ever to come in.

Ms. Mitchelmore: Those are great comments and thank you for that question. One of the things we have to look at is size and scope. If I'm a large organization, $100,000 is much less of a risk to me than a reputational risk of having to go out and disclose.

When we talk about how much of a deterrent is $100,000, well, how much of a deterrent is having to disclose and put out notifications to all clientele? When we were going through this we were taking a look at some of the large organizations and these are multi-million dollar contracts that they're doing and $100,000 will not hurt their reputation as much.

The other thing we put into consideration is something we deal with every day with MRIA, because we have standards and a code of conduct for our own members across the country. We have to take the responsibility for determining if there is a breach and figuring out what the sanctions will be. We do that so every complaint gets a fair hearing and it is based on fact that goes through our consideration and our committees to make sure that we are up to date on all of the standards, the codes, the conduct and the sanctions that are involved so that we are making a decision based on fact that is unbiased.

Our opinion is that it isn't unbiased for our organizations and the statement that organizations would act in good faith because they would just act in good faith from a business environment; while we would love to believe that statement, where we see every day in the media and in the news that that doesn't occur, that is not something that we would support.

Senator Plett: Those are valid arguments and I appreciate them. Considering large organizations, I assume you would put Google into a large organization. The chances are pretty good that if Google has had one breach they have had a thousand breaches. A thousand times $100,000 is not an insignificant amount of money even for Google. Granted, if they are found having breached one case, $100,000 may not be a big deal but that likely wouldn't be the case for Google. That might be for a smaller organization and for a smaller organization a $100,000 fine would be significant.

I'm not the witness and it's not my position to debate with you but, again, I want you to square that box. If the Privacy Commissioner finds out Google has breached 1,000 times and Google says, "Oh, sorry, we'll try to correct that," if Google is responsible or they will face a $100,000 fine times 1,000 I think they will want to report that breach quickly.

If you want to comment further you can.

Ms. Pettit: I would like to comment. This is a lot of our concern around subjectivity. It's very easy to say, "I didn't think it was a big deal but now that I'm found out and you tell me it's a big deal, I apologize." That's much easier to do to avoid reporting because I don't think it's a big deal. If we put the onus, remove the subjectivity, from the business to the Office of the Privacy Commissioner, then there's none of that subjectivity around what is embarrassing and what has potential risk. That line can be drawn anywhere depending on who you are and what company or individual you represent. We just don't think it's appropriate to put that onus on the business. The business should report and the Office of the Privacy Commissioner of Canada can determine whether that is truly significant harm or that is inconsequential.

Senator Plett: "Significant" would be in the eye of the beholder, so I guess we respectfully disagree.

Ms. Pettit: Absolutely.

Mr. Hill: We would take a different view and would argue that most organizations in this country are responsible businesses. Whether it's Google or another large organization, they have a lot to lose in terms of not adhering to privacy policy, privacy law. In reputational terms, it is often much more damaging to an organization to be found to have committed some infraction.

I would suggest that putting the onus on private sector organizations to assess the risk to their customers — after all, these are their customers; these are their businesses — is perfectly in keeping with the spirit of PIPEDA and how it has operated in the past. I think, while the question is about how we assess the risk of harm, sensitivity is one of the issues.

The other prescribed factors are mentioned in the legislation. I would suspect the Privacy Commissioner and others will be consulted as to what some of those prescribed factors that should be put in regulation. However, at the end of the day, those would then serve as guides to the businesses and organizations that are responsible for their customers' personal information. I believe the legislation has it right.

Senator Plett: Thank you; so do I.

David Elder, Special Digital Privacy Counsel and Counsel at Stikeman Elliott LLP, Canadian Marketing Association: I think I may be coming at this a little differently or seeing this a bit differently. When I read this provision it doesn't say "an organization in its sole discretion shall determine where it's reasonable to conclude there's significant risk of harm."

This is a legislative standard I think necessarily at the front line when confronted with that situation the organization will make that call but they'll make it knowing that it's part of a legislative standard that will ultimately be reviewable by the Privacy Commissioner on a complaint basis to see whether it is reasonable in the circumstances. Ultimately, a court would look at it and ask, "Well, was that reasonable in the circumstances?" I think there is a check in there.

I don't know how you would work it otherwise, frankly, unless all breaches got reported to the Privacy Commissioner who then made a call about whether there was a real risk of significant harm. I think there are some protections built into that environment and there is some oversight eventually by the Privacy Commissioner and, again, ultimately by the courts.

Senator Plett: Outvoted two to one.

The Chair: We won't poll on that.

Senator Merchant: I have a further observation on Mr. Hill's observations about collecting this data for an unspecified amount of time.

Information collected on a 20-year-old today may not be that significant but maybe it will in 15 or 20 years because people's positions change and people do grow up. In 20 years, that information may be very embarrassing or that person may not want that information to be out there, stored and collected forever, because standards change, too. In Shakespeare's time, in the Merchant of Venice, we know that money lending and charging interest was frowned upon; it was usurious, but right now the banks are doing the same thing. Standards have changed. To keep something indefinitely seems frightening and unreasonable.

Mr. Hill: We certainly share that concern.

Senator Merchant: I do not know how you're at the two years.

Mr. Hill: I will let David speak to the two years. We've had some discussion on this point, as to what to put forward as a proposed period of time. I'll let David elaborate but it is open to some discussion. Indefinite is not a good situation and I think, as you've pointed out, retaining personal information always poses a risk. At some point the potential returns drop way off and the risk far outweighs holding that information.

Mr. Elder: One of the fundamental principles of the act as it stands, which would not be altered, is record retention. That is, you retain records for only as long as you reasonably require them and then you destroy them or obliterate them in some way after that. That is just good practice. It does not just apply to personal information but I would argue for all types of records. I would think responsible organizations have these kinds of record management and retention policies where they've thought about each of these different types of records and bits of data they have. They look at various legislative obligations; they look at their reasonable business obligations and come up with a schedule for retention. I think that is all we are saying. We can quibble about the numbers.

Two years is a standard limitation period in civil litigation. If you don't sue within two years in most cases, that's the end of it, which is why we went on to that one. That forms the basis of a lot of companies' retention schedules.

We can quibble with the number, but the problem we think is indefinite, is not a good practice. It can also be an onerous burden to retain that information for that long.

Senator Merchant: I wanted to align myself with these two gentlemen.

The Chair: If there are no further questions, we will thank the witnesses. Thank you very much for your presentations.

The witnesses for our final panel are Michael Geist, law professor from the University of Ottawa; and Michael Crystal, a lawyer at Crystal and Associates. I invite Professor Geist to make his presentation and then we will hear from Mr. Crystal. Afterwards, senators will ask their questions.

Michael Geist, Law Professor, University of Ottawa, as an individual: Thank you for the invitation. As you heard, my name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-Commerce Law. I appear today in a personal capacity representing my own views.

I would like to structure my remarks by focusing on what I think are three welcome elements in Bill S-4, three areas that are in need of improvement, and identify what I think is one glaring omission.

First, the welcome elements: Bill S-4 importantly provides additional clarification on the standard of consent. Given that meaningful consent provides the foundation for the law, I think the clarification is much needed, particularly for minors. Consent is meaningless if the person doesn't understand to what they are consenting. By clarifying the standard of consent, businesses will have greater certainty and a clear obligation to ensure that Canadians are better informed about the collection, use and disclosure of their personal information.

Second, the expansion on publicly disclosing information by the Privacy Commissioner I think is also welcome. I have long argued that that office adopted an unnecessarily conservative interpretation of the current provision that allows for naming organizations subject to well-founded complaints. The expansion of the provision sends a signal that the commissioner should not hesitate to publicly disclose information if it is in the public interest to do so.

Third, the extension of the deadline to take a complaint to the Federal Court is also much needed, given that the current system represents an unnecessary barrier to potential pursuit of Federal Court review.

Let me turn to the three areas that I think are in need of improvement. The first area is the security breach disclosure requirements that I know have been much discussed already. These disclosure requirements are long overdue as I think it creates incentives for organizations to better protect their information and allows Canadians to take action to avoid risks such as identity theft. There are aspects in this bill that are an improvement over the prior bills, Bill C-12 and Bill C-29, most notably the inclusion of actual penalties that are essential to create the necessary incentive for compliance. However, there are problems with the standard for disclosure, some of which are left over from the prior bills and some that are new to this bill.

From the prior bill, as you've heard, the standard for notification to individuals is "a real risk of significant harm to the individual." I believe that it should be lowered to capture more breaches. By comparison, the California breach notification law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person. In other words, the threshold is whether an unauthorized person acquired the information, not whether there is a real risk of significant harm.

In Europe, telecom breaches must be reported based on an "adverse effect to personal data or privacy," a standard that I also think is better than what we find in Bill S-4.

New to this bill is the removal of a two-stage process that involved, first, informing the Privacy Commissioner and then the individual where circumstances warrant it. I think this bill puzzlingly establishes the same standard, the "real risk of significant harm" standard, for both notifying the commissioner and the individuals. I believe this will mean that there will be no notification of systemic security problems within an organization or technical standard vulnerabilities that an organization may have identified. I repeat: Those kinds of breaches would not be disclosed to anyone. The bill, of course, does require organizations to maintain a record of all breaches, but only to disclose them if the commissioner asks.

Why is this a problem? I think it is because it is likely to result in significant underreporting of breaches since organizations will invariably err on the side of non-reporting in borderline cases and the commissioner will be unaware of the situation since there is no reporting requirement to that office.

I know that some have suggested that all breaches should be reported to the commissioner. I know the commissioners thought that that would be too much.

There are some jurisdictions that require reporting of all breaches. For example, a European Union regulation passed last year states that all personal data breaches at telecom companies must be reported to the authority.

I believe, though, that the prior government bills, Bill C-12 and Bill C-29, offered a better two-stage approach, so that we wouldn't capture everything but we would capture more. The first notification would go to the Privacy Commissioner and that would take place where there is "a material breach of security safeguards." That is not all; that's where there is a material breach of security safeguards. Whether that breach was material would depend upon the sensitivity of the information, the number of individuals affected, and whether there was a systemic problem. It didn't require a risk of significant harm. This was the Conservatives' own bills in both Bill C-12 and 29. I thought the two-stage process was far better since it ensured notifications first to the commissioner for a wider range of breaches, including those that involved systemic problems, and those aren't caught by Bill S-4.

I, therefore, recommend two changes to the provisions. First is the California style standard for notifications to individuals. Second, the government's own approach in C-12 and C-29 to notifying the commissioner as a first step in some circumstances.

The second area for improvement involves the expansion of warrantless disclosure, and I know you would have heard about this too. At a time when many Canadians are concerned with voluntary warrantless disclosure, the bill expands the possibility of warrantless disclosure to anyone, not just law enforcement, featuring a provision that grants organizations the right to voluntarily disclose personal information without the knowledge of the affected person and without a court order to non-law enforcement organizations where they are investigating a breach of an agreement, legal violation or the possibility of a future violation.

This broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval. It runs counter to recent Federal Court decisions that have sought to create clear limits and oversight over such disclosures. Moreover, the disclosure itself is kept secret from the affected individual who is unlikely to complain about it because they're unaware that their information has been disclosed.

A House of Commons committee may have recommended a somewhat, although much more narrow, similar reform in 2006. I should note that recommendation was rejected at that time by both the Privacy Commissioner of Canada and the Conservative government on that committee itself. The reform here is clear. The provision opening the door to massive expansion of warrantless, non-notified, voluntary disclosures should be removed from the bill.

Third, given the distinct lack of powers for the Privacy Commissioner of Canada, I think the creation of compliance agreements is a step in the right direction. But order-making power, or at least some form of direct regulatory action, such as administrative and monetary penalties, is needed. The inability to make well-founded findings stick without first navigating an inaccessible and practical trip to the Federal Court has been an enormous source of frustration for many Canadians, and I have heard from many of them.

The creation of compliance orders would have made sense had there been some power to issue penalties or take regulatory action, as is the case in the United States where compliance orders are commonly used. But without such a threat, it's difficult to see why an organization would enter into a compliance agreement. Avoiding the Federal Court is something you do when you fear you might lose. That largely hasn't been the case under PIPEDA. Reforms are needed to ensure that there are real penalties to ensure compliance.

Finally, let me conclude with the glaring omission. It comes back to the lack of transparency disclosure and reporting requirements that are associated with warrantless disclosure. The stunning revelations of over 1 million requests and 750,000 user account disclosures of personal information, the majority of which are occurring without court oversight or warrant, points to an enormous troubling weakness in Canada's privacy laws. Most Canadians have no awareness that these disclosures are taking place, and I think many are shocked to learn how frequently they are occurring and that bills before Parliament, including this bill as well as Bill C-13, propose to expand their scope, in C-13's case by creating immunity for those voluntary disclosures. In my view, this creates victims of us all through disclosure of our personal information often without our awareness or explicit consent.

I would recommend two reforms to address the issue. First, the law should require organizations to publicly report on the number of disclosures they make to law enforcement without knowledge or consent or without judicial warrant in order to shed light on the frequency and use of this extraordinary exception. The information I think should be disclosed in aggregate, so we are talking generally, every ninety days, quarterly basis.

Secondly, organizations should be required to notify the affected individuals within a reasonable time period, perhaps 60 days, unless doing so would affect an active investigation.

The adoption of these two reforms, which I believe would be consistent with what you heard from Mr. Therrien yesterday, who focused so much on transparency, would be an important step forward in providing Canadians with greater transparency and awareness about the use and disclosure of their personal information.

I welcome your questions.

Michael Crystal, Lawyer, Crystal and Associates, as an individual: Thank you, Mr. Chairman and honourable senators, for the opportunity to speak to you this evening about Bill S-4, the proposed Digital Privacy Act.

As a lawyer who spent the better part of 20 odd years arguing Charter issues as a criminal lawyer and privacy lawyer and who most recently is engaged in class actions involving the intentional unauthorized accessing of hospital records in Ontario hospitals by employees who are subsequently fired for cause, I am deeply troubled by several points of this bill, and I will enumerate them shortly.

Frankly, my concern is that these proposed amendments would have the effect of transforming key privacy protection law into a law that instead authorizes, encourages and immunizes, in some cases, violation of the privacy of Canadians.

Senators, we need only to look at today's Toronto Star. On the front page of that paper there is a story about 8,300 new mothers who just gave birth at the Rouge Valley hospital in Scarborough, Ontario. These individuals who gave birth had their personal information sold by hospital employees. The basis for the sale was for advertising.

As a lawyer, as an advocate, this is my daily reality. The phone rings. I pick it up. A patient, whose only crime has been being a patient in a hospital, has found out that their records were intentionally snooped and that someone has had access to their records.

Let me now move to the more particular sections of the proposed legislation that I take issue with. There are really only three areas, but the first and foremost has to be section 7(10)(d.1). This allows for not only law enforcement but now other organizations under certain circumstances to have access to personal information; and clearly, as I say these words to you, I have the morning headlines ringing loudly in my ears, which makes for probably a big headache.

This section not only continues the unconscionable, and I believe potentially unconstitutional, practice of allowing law enforcement authorities to have warrantless access to personal information held by organizations. Even worse, the proposed amendment would now allow non-law enforcement organizations, including private sector businesses, to access, without any court authorization, the personal information of Canadians that is held by other organizations.

Senators, in the biography of former Chief Justice Dickson there is a story about the very first Charter case: Hunter v. Southam. Lawson Hunter, the head of an administrative organization, not only had investigative powers but quasi-judicial powers in that he could order a search without any type of warrant.

The story that is told in A Judge's Journey, the story of Chief Justice Dickson, was this was brought under section 8 of the Charter, unlawful search and seizure. It was the very first Charter case; it was 1983. The judges had heard the story and the evidence. They were obviously reviewing the case. It came to them by way of an injunction sought, and all nine judges were unanimous that this evidence had to be excluded. The question was what was going to be the seminal issue.

Just by way of a bit of a story, and I don't mean to take up too much time, they looked to Chief Justice Laskin who was still on the court but was too ill to participate and unfortunately passed away before the decision, so Justice Dickson was acting as the Chief Justice at the time for all intents and purposes.

He looked to the American Bill of Rights to see if that was the way to go, but the American Bill of Rights spelled out exactly when a warrant was required. So he went to the British common law, and he basically found that section 8 should have in it as a basis for these searches that it should be before an independent, impartial person; that the search should have an objective basis; and, first and foremost, that Canada is a nation that bases its law regarding search and seizure on prior authorization, not ex-post facto validation.

This is currently the status of the law with regard to section 7(10)(d.1), which now seeks to extend to organizations the opportunity to access this information if there is a suspected breach of contract. I would submit to you that this runs contrary to our fundamental constitutional ethos.

Let me move briefly now to the Telus decision, which is the most recent decision on electronic searches. That dealt with text messages. I want to read you a line from that because the court found that text messages required a higher warrant than a general warrant. It required the same type of authorization that we have for wiretapping. The court stated in finding that the search was unconstitutional that technical differences inherent in new technology should not determine the scope of protection afforded to private communications.

Senators, I submit to you that the tail does not get to wag the dog. We are talking about legislation that protects individual personal privacy. It is not an opportunity for institutions to, without any type of prior authorization, engage in the gathering and the taking of personal information.

I will move briefly to two proposed sections I have other concerns about. One is 10.1, which deals with notification, both for the Privacy Commissioner and for individuals in the case of a security breach.

Having represented individuals in a class action where sensitive medical information was accessed without authorization by hospital employees, who were subsequently fired for their conduct, I can advise that victims of such invasions of privacy are often devastated and left wondering why them, what was viewed and for what purpose.

Canadian citizens have the statutory right under our privacy law to be able to trust the custodians of their personal information. If and when those custodians fail to protect their information, the victims of data breaches must be entitled to be notified forthwith. I would simply say there should be a zero tolerance policy with regard to notifications, and I will not repeat any arguments by my colleague Mr. Geist.

I will now move to my final concern, and that is section 10.1(6). The proposed provision states that notice of a breach shall be given as soon as feasible, and I'm not exactly sure what that means. It does remind me of the Brown case, with all deliberate speed, in American jurisprudence, and notice can be delayed if there is a criminal investigation of the breach. My submission to you is that the section ought to be struck on the basis that it is not justifiable to expose individuals to the risk of suffering consequences from a privacy breach of which they are left unaware, whether consequences in the form of criminal activity or any other kind of detriment, while police continue their investigation.

I just want to touch on the jurisprudence. There is a decision by Justice Moldaver, as he then was when he was on the Ontario Divisional Court. In the case of Doe v. the Toronto Police Commissioner, it was a case where there was a serial rapist. The police had profiled the case. They knew where this rapist struck, and yet they didn't tell anyone because they felt if they told anyone, they couldn't catch the criminal. Basically what happened is there were further assaults. Those women sued and were successful.

This idea does not work. That thinking has been in place before, and basically it leaves people having their bank accounts drained, their identity stolen and basically left without a means of compensation. Again, we have to think about the individual and the intention of the legislation.

We should never lose sight of the fact that privacy legislation exists to protect the privacy rights of the individual, to protect their most personal and precious information, and not to violate those rights nor immunize those entities whose desire for expediency outweighs any respect they might have for the privacy protections of the individual. Thank you.

The Chair: Since you are our last witness, the chair was a little bit generous.

Mr. Crystal: Thank you. I do appreciate it.

Senator Mercer: We do appreciate enthusiasm and passion. Thank you, gentlemen, for being here. I've asked this question of most of our witnesses thus far. It is about reporting of breaches of information. Everybody is required to keep records of the breaches, but they only get reported to the Privacy Commissioner upon request. I am of the theory that somebody needs to maintain a database of all of this. How do you feel about whether all breaches need to be reported to the Privacy Commissioner, recognizing that, at the beginning, there would be a fairly large influx of reports but, as it went on, it would probably level out?

Mr. Geist: I must admit that I'm not sure that it would level out. I think what we have seen if anything is that with the kinds of breaches that occur, there is more and more collection of our data and these things seem to increase.

As I suggested in my opening remarks, I think there is a middle ground here. I think the approach we see in this bill, where it's essentially self-report unless the commissioner asks, quite frankly, is unworkable. We can't possibly ask the commissioner to go to every organization to identify the breaches that have occurred on their watch. At the same time, I'm sensitive to the concerns that reporting every breach, however innocuous some of them might be, probably isn't the best use of time for the organization or the commissioner. That's why I'll repeat, I thought the government got it exactly right in terms of the two-stage process in its prior bills. I'm puzzled as to why that's removed. It set a lower threshold. A broader range of breaches would be required to be disclosed to the commissioner, that standard involving a material breach of security safeguards, which encompasses more breaches, not all but more, and then you get to the next stage. We can debate what the appropriate standard is, but at some other standard where you then move on to notification to the affected individuals.

Senator Mercer: Mr. Geist, do you think it's right that private citizens will not hear about the fact that their data has been delivered or shared between two companies without their consent under this new legislation?

Mr. Geist: As I mentioned, this strikes me as one of the most problematic elements of the bill. Quite frankly, it runs so directly counter both to what the courts have had to say as well as where they tried to create some limitations on this. Given what we have seen in some other legislation, such as Bill C-13, on which I appeared before the Justice Committee last week, I think it moves us towards a world in which we get large amounts beyond what we already know, huge amounts, of warrantless disclosure, which strikes me as an enormously problematic development.

Let me note that this is not just some academic concern. This strikes me as a very real prospect for reality where there would be disclosures that would take place that courts have tried to guard against. As an example, we saw a lawsuit recently in Canada where a company wanted to identify 2,000 subscribers at an Internet service provider. They went through the court system, and the courts had concerns that there would be abuse of the court system in that lawsuit, so they created strict limitations on the use of that information if disclosed by the ISP, as well as oversight in terms of the communication that would exist from the party that was looking to contact ultimately all of those subscribers to ensure that there was not abuse of the court system there either. With this provision, it would be open to that same litigant to go to that Internet provider and say, "I would like this information on these 2,000 or 5,000 subscribers, or however many number of subscribers," and that Internet provider would be entitled under this provision to simply disclose all of that with no court oversight or limitations. It runs directly counter to what the Federal Court has done and has the potential to scoop up hundreds of thousands of Canadians in the process.

Senator Mercer: We heard about the 1.2 million requests for information that have been made to telecommunications organizations in the country and have been met, all warrantless. I understand no warrants were attached to any of the requests. Then people come back and say it would be too cumbersome to constantly notify these people that their private information has been intentionally handed over without their consent. How do you feel about that?

Mr. Geist: If it's not too cumbersome to hand over the personal information of all these subscribers, then surely it isn't too cumbersome to notify them as well. I note that we don't know, and this is part of the problem, if all of them are warrantless. There's reason to believe that the overwhelming majority of them are. But that speaks to another problem that I tried to highlight towards the end of my remarks: There is a complete lack of transparency in terms of the kinds of approaches the telecom companies and other organizations are taking with respect to our personal information. That speaks to the need for both notification to the individuals, which would result in a potential decrease in the number of those requests because people would think more carefully when they ask for information knowing that subscribers will be notified, and for these companies to engage in quarterly disclosures of the disclosures that they are engaged in — transparency reports, as we find with large telecom companies in the United States like AT&T and Verizon.

That information on the 1.2 million requests in 2011 from telecom companies is 750,000 user accounts. That was aggregated information. The telecom companies were not willing to go on the record individually about the kind of disclosures they make. They said that they would disclose only if it was aggregated data. All 11 companies were asked whether they notify subscribers about these disclosures. Every single one said they do not.

The Chair: I want to be sure we keep the pace.

Senator Mercer: Mr. Crystal, can you clarify your story about the sale of information on new mothers from a hospital in Scarborough? I want to be clear that the sale of this information was made by individuals working for the hospital and that the money that exchanged hands went to the individuals and that it was not an enterprise initiated by hospital.

Mr. Crystal: Certainly not; but it's a breaking story. We spoke to the journalist who wrote the story, and that's my understanding.

Senator Mercer: Thank you very much.

Senator Plett: And I thought I would get my question in before Senator Mercer asked it. With his last question, he does it to me again. I go to great lengths trying not to read The Toronto Star, so I would never have read the article.

I want to clarify that the story has nothing to do with this bill. That's a clear criminal act of somebody selling private information; and you've got a class action lawsuit. I'm sure you are arguing that somebody did something criminal.

Mr. Crystal: I'm not involved in that case. That story was in today's newspaper.

Senator Plett: As I said, I don't read The Toronto Star.

Mr. Crystal: One of the first questions I was asked today, and I think it was by the journalist, was: Do you think there will be criminal charges? There are provisions in the Criminal Code for this type of activity; but I don't know what the police will do about it. I know that sometimes when I go out and speak to people whose information has been unlawfully accessed, people who are patients, I sometimes feel like a politician going out and speaking to constituents because there are large groups of people that I speak to at one time.

In response to the question about certain breaches not being reported or needing to be reported, it's like having certain small crimes that don't need to be reported. These people, Canadian citizens, who find that someone has looked at their medical information are heartbroken. They are devastated. Why? Because it's out of the blue. It's a technology they don't understand. It's done by an individual they don't know. It's very difficult for them to comprehend.

I understand that we are trying to deal with the economics of information management and what works and doesn't work. From ground zero, the person who has had the data breach happen to them, there is zero tolerance. The right to be notified is something that everyone, no matter to whom I speak, seems to feel very strongly about.

Senator Plett: Thank you.

On clause 10.1(6), I want to be clear here. Are you concerned about parts of that clause or the entire clause? What if the clause read "immediately upon realizing that there is a breach" instead of "as soon as feasible"? If the part about the delayed notification were taken out, would that become a better clause?

Mr. Crystal: Senator Plett, let me start off by saying that the civil courts in that particular case found that this was unacceptable police conduct. The point is that there is no justification from the point of view of protection privacy of the individual not to tell them that their bank account is being drained or that their name or identity is being traded for misuse.

It would seem to me that there may be some movement towards bringing this before a judicial officer to determine whether the person should be told, but this can be cumbersome. I simply say to you that we have seen in the Canadian courts that this position is not tenable. It is not tenable to make the trade-off of an investigation versus notification.

Senator Plett: It's only the bottom part of that clause that you're concerned about.

Mr. Crystal: I'm concerned about holding off on notification.

Senator Plett: If it said "notification shall be given forthwith after the organization determines that the breach has occurred . . . ", end of clause.

Mr. Crystal: Yes.

Senator Plett: That would be acceptable to you?

Mr. Crystal: Yes.

Senator Merchant: Collecting all this information is very worrisome. I was reading something this morning that reminded me of the fight we had over the long-form census. We were objecting to collecting information on people, and that was with their consent. Now we're turning around and doing completely the opposite.

We are collecting all sorts of information on people without their knowledge. I find this very troublesome.

The previous witness from the Office of the Privacy Commissioner of Canada, I had raised the example of wiretapping and that we have to report that to the individual after 90 days. Mr. Geist, I believe you suggested 60 days. That has to be changed. You cannot keep this information and not notify people indefinitely. I don't know if you need to say anything else about that.

Mr. Crystal: In this case, 60 days is just a number. I'm not fussed about it. This was discussed actually at the Commons Justice Committee when I appeared on Bill C-13. There were some on both the government side and from the NDP who expressed the concern: What if this disclosure effectively impeded or harmed an active investigation? It should be made clear that there is no intent to do that. The time period in terms of mandating notification, must surely account to presumably allow for that investigation to run its course or, if it still has not, to give law enforcement the ability to obtain a gag order from a court to ensure that the notification is delayed.

Here there is a clear middle ground that will allow for notifications of the individuals, while at the same time not in any serious way impede the work of law enforcement as necessary. Of course, the provision that has been much discussed already before committee expands this potential warrantless disclosure without notification even beyond law enforcement as well. Let's not lose sight of time in this matter.

The amount of time it takes to drain people's financial accounts, whatever it is, is very short. What we may say is reasonable in terms of wiretap, you have to realize that law enforcement has gone before a judicial officer and has convinced them that there is a crime being committed.

You were talking about people who have been the victims of a crime, and we are talking about holding off and reporting them while their finances are drained and there is no compensation for them. They have no way, depending on the financial institution, of getting that money back. They just have to be good sports about a valid police investigation.

And, heck, what happens if the investigation turns up nothing or it was the wrong investigation? Well, we have people who have their life savings taken away, their identity stolen, which takes eons to get back, and they are left without a remedy. If they go to court there is no redress because the legislation immunizes law enforcement from anything; so it is just tough luck, sorry you got caught in the net. People are putting their personal information in the hands of custodians whose role it is to protect that information, and they should not have to bear any of the costs from accidents, negligence or anything that results in that.

I tell you, I feel like a grassroots politician sometimes when I go off to Peterborough or Sault Ste. Marie and I say —

Senator Plett: Maybe we have a riding for you.

Mr. Crystal: No further comment.

The Chair: We can negotiate on that, but I am not involved in a political party so I cannot participate in this negotiation.

Senator Merchant: The fact that people really do mind having all this information collected, we see that in polling that people do not want to have information collected. I was thinking that quite frequently governments abuse power. They think that they are doing something good, but an example would be 9/11 and all the warrantless, extended powers that were exercised. I think the information that was collected, the indication is that over 90 per cent of that was not used for terrorism and those applications. That is worrisome, too. Do you have any comments about that?

Mr. Crystal: I will simply say this: There are times, such as 9/11, during World War II, with the way that certain political parties or people of Japanese origin were treated that sometimes dictate the way we legislate the type of laws that come into place.

One should never lose sight of the fact that when we talk about technology, we are talking about individuals who have trusted their personal information to the government, which they have faith in, and to other institutions, with banks and insurance companies.

My simple submission is: Do not lose sight of the fact that while there may be various privacy stakeholders, the individual is the majority stakeholder. If you use that as your guiding principle, Bill S-4 can be tailored, because there are good things about it, as Professor Geist referred to. If you use that as the guiding principle then the individual will benefit from this legislation. I am not here to trash the legislation holus-bolus; I have just come to raise a couple concerns.

The Chair: Next week, on Tuesday, we will be going to clause-by-clause of Bill S-4; on Wednesday we will hear form Tony Manera, former president of CBC, who will testify on our study on CBC.

We are adjourned until Tuesday morning.

(The committee adjourned.)