Appearance before the House of Commons Standing Committee on Industry, Science and Technology (INDU) on Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act (the Digital Privacy Act)
February 17, 2015
Opening Statement by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Good morning Mister Chair and Members of the Committee.
Thank you very much for the invitation to present our views on Bill S-4, the Digital Privacy Act.
With me today are Patricia Kosseim, Senior General Counsel and Carman Baggaley, Senior Policy Analyst. As you may know, Ms. Kosseim and Mr. Baggaley appeared before the Senate Standing Committee on Transport and Communications on Bill S-4 last June, shortly before my appointment as Privacy Commissioner was confirmed. My views on Bill S-4 are largely in line with the Office’s position as presented at that time. I will however be addressing in more detail the proposed amendment that allows organizations to disclose personal information to other organizations without consent. I will also discuss paragraph 7(3)(c.1) disclosures in light of the Supreme Court’s R v. Spencer decision.
My detailed views about Bill S-4 are outlined in the submission we have provided to the Committee. Given the brief time I have here today, allow me to address the more noteworthy issues.
Let me first say that I am greatly encouraged by the government’s show of commitment to updating PIPEDA and I welcome many of the amendments proposed in this Bill. Proposals such as breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians in their dealings with private sector companies.
Mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information. I support the risk-based approach that will require organizations to assess the seriousness of each incident and its impact on affected individuals. I believe that the organization experiencing the breach is in the best position to assess risk and decide whether notification of individuals is warranted. Requiring organizations to keep a record of breaches and provide a copy to my Office upon request will give my Office an important oversight function with respect to how organizations are complying with the requirement to notify.
The proposed voluntary compliance agreements will enhance my Office’s ability to ensure, in a timely and cost effective manner, that organizations are meeting their commitments to improve their privacy practices without having to resort to costly litigation before the Federal Court in conditionally resolved cases.
As for the proposed provision that aims to enhance the concept of valid consent, I believe this is a useful clarification of what constitutes meaningful consent under PIPEDA. It underscores the need for organizations to clearly specify what personal information they are collecting and why in a manner that is suited to the target audience.
While I support many of the amendments proposed in this Bill, I nevertheless have strong reservations about paragraphs 7(3)(d.1) and (d.2). These proposed provisions would allow an organization to disclose personal information without consent to another organization in certain circumstances. My concerns are twofold.
First, I believe that the investigative body regime as it currently exists in PIPEDA, and which paragraphs 7(3)(d.1) and (d.2) seek to replace, provides important transparency and accountability safeguards that will disappear with the proposed amendments.
Currently under PIPEDA, organizations can disclose personal information without consent to investigative bodies designated through a transparent Governor in Council process. A list of organizations with investigative body status is publicly available. Under the proposed amendments, potentially any organization will be able to collect or disclose personal information for a broad range of purposes without any mechanism to identify which organizations are collecting or disclosing the information and why.
Furthermore, the proposed provisions seek to dilute the thresholds and grounds for disclosures that currently exist under the current investigative body regime in paragraph 7(3)(d). I would prefer to maintain the existing investigative body regime. However, if that is not possible, then I would recommend keeping the existing PIPEDA thresholds found in paragraph 7(3)(d), and grounding disclosures in real problems rather than fishing expeditions:
- The threshold under paragraph 7(3)(d.1) should be based on a “reasonable grounds to believe” that the information relates to an actual breach or contravention;
- The threshold under paragraph 7(3)(d.2) should be based on a “reasonable grounds to believe” that the information relates to the detection or suppression of fraud that “has been, is being or is about to be committed”; and
- Disclosures under paragraphs 7(3)(d.1) and (d.2) should only be permitted on the initiative of the disclosing organization.
In addition, a mechanism for enhancing transparency and accountability around these disclosures would be needed. For example, disclosing organizations could be required to issue transparency reports and to document the analysis undertaken in deciding to disclose under these provisions.
Finally, I would like to address the Spencer decision and how I believe it impacts paragraph 7(3)(c.1) of PIPEDA. In the Spencer decision, the Supreme Court held that police need a warrant or a court order when seeking subscriber information from an organization subject to PIPEDA. In the Court’s view, there is a reasonable expectation of privacy in subscriber information connected with online activity and the police request that the organization voluntarily disclose this information constituted a search that violated the Charter.
Left unanswered was the question of what types of information attract a reasonable expectation of privacy and the related question of when organizations may voluntarily disclose other types of information in response to a police request. As a result, organizations are left in a state of uncertainty and ambiguity as to when they may or may not disclose personal information without warrant and it leaves individuals in the dark about when their personal information may be disclosed to state authorities without their consent or prior judicial authorization.
I would therefore urge the Committee to recommend putting an end to this state of ambiguity by clarifying when, post-Spencer, the common law policing powers to obtain information without a warrant may still be used. I believe that a legal framework, based on the Spencer decision, is needed to provide clarity and guidance to help organizations comply with PIPEDA and ensure that state authorities respect the Supreme Court of Canada’s decision.
More specifically, I would recommend that Parliament provide greater clarity and transparency by amending PIPEDA to define “lawful authority” for the purposes of paragraph 7(3)(c.1) in line with the Supreme Court’s decision, that is, where there are exigent circumstances, pursuant to a reasonable law other than paragraph 7(3)(c.1) of PIPEDAFootnote 1, or in prescribed circumstances where personal information would not attract a reasonable expectation of privacy.
Thank you and I welcome your questions.
- Date modified: