Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act (the Digital Privacy Act)

Submission to the Standing Committee on Industry, Science and Technology

March 11, 2015

Mr. David Sweet, M.P.
Chair of the Standing Committee on Industry, Science and Technology
131 Queen Street, 6^th Floor
Ottawa, Ontario  K1A 0A6

Dear Mr. Sweet:

I am writing to follow-up on my appearance before the Standing Committee on Industry, Science and Technology on February 17, 2015 to discuss Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act (the Digital Privacy Act).

During my appearance, I was asked about the Report of a Special Committee of the British Columbia Legislative Assembly (the BC Special Committee) that conducted a review of British Columbia’s private sector privacy legislation, the Personal Information Protection Act (PIPA). The Report can be found at http://www.leg.bc.ca/cmt/40thparl/session-3/pipa/reports/PDF/Rpt-PIPA-40-3-Report-2015-FEB-06.pdf

Two recommendations in the Report are particularly relevant to Bill S-4: the recommendations that a breach notification requirement be added to PIPA and that the disclosure exemptions under paragraphs 18(1)(c) and 18(1)(j) of PIPA be amended in response to the Supreme Court of Canada’s decisionin R. v. Spencer.

Breach Notification

As is the case with the Personal Information Protection and Electronic Documents Act (PIPEDA), PIPA does not currently contain a requirement that organizations notify individuals or any oversight body in the event of a data breach.

The BC Special Committee’s Report notes that a number of stakeholders supported a statutory requirement for organizations to notify the Commissioner and affected individuals in the event of a privacy breach. The Report also points out more specifically that the Canadian Life and Health Insurance Association, the British Columbia Civil Liberties Association and the British Columbia Information and Privacy Commissioner (the BC Commissioner) supported the reporting threshold of “real risk of significant harm” to mirror the Alberta and proposed federal thresholds.

The Committee recommended that:

PIPA be amended to require organizations to notify both the Information and Privacy Commissioner and affected individuals of the loss of or unauthorized access or disclosure of personal information resulting from the breach of an organization’s security safeguards where there is a real risk of significant harm.

As I suggested when I appeared before your Committee, there are many ways to devise a breach notification regime; however, I think the proposal in Bill S-4 is a reasonable compromise and, like the BC Special Committee, I agree that there are advantages to a harmonized approach with Alberta and possibly with British Columbia. 

Disclosure exemptions post-Spencer

The Report makes mention of several submissions that recommended narrowing paragraphs 18(1)(c) and 18(1)(j) of PIPA in the wake of the R. v. Spencer decision. These two paragraphs are reproduced below:

18(1) An organization may only disclose personal information about an individual without the consent of the individual, if …

(c) it is reasonable to expect that the disclosure with the consent of the individual would compromise an investigation or proceeding and the disclosure is reasonable for purposes related to an investigation or proceeding …

(j) the disclosure is to a public body or a law enforcement agency in Canada, concerning an offence under the laws of Canada or a province, to assist in an investigation, or in the making of a decision to undertake an investigation.

Paragraph 18(1)(c) allows organization-to-organization disclosures without consent for the purpose of an investigation or proceeding^{Footnote 1} subject to certain conditions. Our understanding is that the proposed paragraphs 7(3)(d.1) and (d.2) in Bill S-4 were intended to move PIPEDA closer to the current BC approach set out in  paragraph 18(1)(c).  However, for the same reasons I raised concerns about paragraphs 7(3)(d.1) and (d.2) in Bill S-4, others are also questioning paragraph 18(1)(c) of PIPA following the R. v. Spencer decision.

The BC Commissioner recommended that paragraph 18(1)(c) of PIPA be amended to limit organization-to-organization disclosures without consent to circumstances where the disclosure is necessary (rather than reasonable) for purposes related to an investigation or proceeding.

As for paragraph 18(1)(j) of PIPA, it is somewhat comparable to 7(3)(c.1) of PIPEDA in that both deal with disclosures without consent to public bodies and law enforcement agencies.  The BC Commissioner recommended that paragraph 18(1)(j) be amended to limit warrantless disclosures to disclosures that are initiated by the disclosing organization and that PIPA be amended to require organizations to publish transparency reports on disclosures made without consent.

The Committee agreed with the BC Commissioner and recommended that:

Sections 18(1)(c) and 18(1)(j) of PIPA be amended to address issues raised by the decision of the Supreme Court of Canada in R. v. Spencer in accordance with the approach recommended by the Information and Privacy Commissioner. Organizations should be required to document and publish transparency reports on disclosures made without consent.

The Committee’s recommendation is generally consistent with the recommendations I made in my submission on Bill S-4 regarding the proposed new paragraphs 7(3)(d.1) and (d.2) and the existing paragraph 7(3)(c.1). Like the BC Special Committee, I believe that disclosures without consent need to be carefully circumscribed and that greater transparency is required concerning such disclosures.

Sincerely,