The Digital Privacy Act (Bill S-4) will make significant changes to Canadian privacy law when it is enacted. The amendments to PIPEDA have been in the making since 2007 following the statutory review of PIPEDA by the Standing Committee on Access to Information, Privacy and Ethics. The Bill has passed the Senate and was referred to the Standing Committee on Industry, Science and Technology. The INDU Committee will begin considering the Bill on November 25, 2014.
The Government of Canada Backgrounder says that “Canada’s Digital Privacy Act provides important improvements to Canada’s private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA)” and that it “will ensure that Canadians are safer and more secure when they surf the web or shop online”. The Bill does add more privacy protection for Canadians. It also removes certain barriers to legitimate activities not contemplated when PIPEDA became law more than a decade ago. The Bill, however, needs amending to enable it to better accomplish its objectives. Some of the areas that need close attention at the INDU Committee are the amendments related to requirements for obtaining consent, privacy breach notification, the exception for making disclosures by organizations to other organizations, and the expanded “name and shame” powers of the Commissioner.
Bill S-4 would add a major new requirement for obtaining consents that could vitiate many existing and future consents pertaining to the collection, use, and disclosure of personal information. New Section 6.1 would read as follows:
For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
The Government’s stated purpose of this amendment is to protect vulnerable Canadians, like children and seniors, when they surf the web. This is clear from the statements made in the House of Commons by Conservative MPs such as Mike Lake (the Parliamentary Secretary to the Minister of Industry, James Moore), Joyce Bateman, Mill Woods, and John Carmichael.
The wording of the amendment goes much further than the stated objective. As drafted it would require all organizations to make assessments as to whether all of the users of its web sites (and products and services) that it targets and from whom personal information is collected, understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. For organizations and web sites that have numerous users that span many demographics, the challenge of complying with the new requirement will be daunting. For example, web sites and services like G-mail, Facebook, Yahoo, YouTube, and Twitter, which are ranked amongst the most popular by Alexa and others such as Wikipedia, Pinterest, Instagram, Craigslist, and Yelp each have hundreds of millions of unique visitors per month, many of whom are Canadian. These services would have to tailor their privacy policies for each demographic.
The proposed amendment would inevitably result in some policies being viewed as too complicated for some groups to understand and not comprehensive enough for others, with other demographics in between. It would also inexorably result in privacy policies and practices, viewed acceptable elsewhere around the world, being found non-compliant with this new Canadian standard for consent. An amendment that clearly targets specific vulnerable users such children under age 13 as COPPA does is a much preferable approach. It would also better accord with the Government’s rationale for the amendment.
Breaches of Security Safeguards
Bill S-4 would introduce into federal law a new set of obligations with respect to breaches of security safeguards, a term defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.” The obligations in clause 4.7 include an obligation to protect personal information “by security safeguards appropriate to the sensitivity of the information”.
Under the amendment, organizations would be required to report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. The report would have to be made “as soon as feasible after the organization determines that the breach has occurred”. (s.10.1)
Organizations would also have to notify a potentially affected individual of such breach “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”. The notice would have to contain sufficient information to allow the individual to understand the significance of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. The notice would generally have to be given directly such as by mail or email, except to the extent regulations permit indirect notice such as notices in newspapers. The notice would have to be given “as soon as feasible after the organization determines that the breach has occurred”. (s10.1) If such as notice is given, the organization then has further reporting obligations to other organizations, a government institution or a part of a government institution “if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm”. (S10.2)
The obligation to provide notice to the Commissioner or affected individuals is triggered by a “real risk of significant harm” to an individual. The term “significant harm” is defined to include “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”. The Bill also lists non-exclusive factors that should be taken into account.
The Government’s proposal to add security breach notification obligations to the federal privacy law is consistent with developments elsewhere. Notification requirements already exist in Alberta under PIPA. Many organizations in Canada also routinely notify the OPC, as well as the Alberta, BC and Quebec privacy commissioners of serious security breaches.
The security breach amendments need some technical amendments. The obligation to report a security breach is to be made “as soon as feasible after the organization determines that the breach has occurred”. Yet, the obligation to provide notice arises only “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”. As written, the drafting is defective because the notice has to be given before the organization has had a chance to determine whether any individual has been affected by the breach and whether it is serious enough to be reportable.
Further, even if the wording was amended to accord with the obvious intention of the Government, the obligation to give notice would still be tied to the effects of the security breach on each individual. Yet, in the face of significant breaches affecting many individuals, it makes far more sense to give organizations time to assess the impacts of the breach on its customers as a whole rather than on specific individuals. The drafting appears to contemplate that organizations would have to send out notices at different points in time depending on what might be discovered about the effect of the breach on each customer. This is wholly impractical in complicated security breaches caused by cyber criminals. Organizations would either have to send out notices in separate batches, thus potentially confusing consumers or falsely leading those not receiving notices to believe their personal information has not been accessed. Alternatively, it would require organizations to send out notices to consumers whose personal information had not been confirmed to have been accessed, thereby potentially alarming individuals where not warranted. It would also practically require organizations to provide consumers not affected by a breach with benefits such as credit card monitoring they don’t need, which would also drive up the already hefty costs of dealing with security breaches.
The most worrisome aspect of the security breach proposals is the potential liability for breach. The liability for knowingly violating the notification requirements are punitive. An organization can be liable to be prosecuted with fines that can be as high as $10,000 if the offence is prosecuted on summary conviction, or $100,000, if the offence is pursued by way of indictment. (s28). The Government’s stated intent is that the liability can be as high as $100,000 for each individual not notified of a security breach. See, Backgrounder and statements made in the House of Commons by Mike Lake. Thus, for a breach affecting millions Canadians, the potential fine could be a staggering sum in the hundreds of billions of dollars. The effect of these potentially disproportionate fines would be to cause organizations to over-report security or possible security breaches because of the potential draconian remedies that could bankrupt them in the case of a major data breach. This would not only over-burden the OPC, but could result in ordinary Canadians receiving too many notices. Studies are already showing that individuals are feeling apathetic and powerless to deal with data breaches. Consumers who may come to believe that organizations are being hyper cautious to avoid such fines may, to their detriment, disregard notices and neglect to act on the ones where action is really required.
Organization to organization disclosures
Bill S-4 would also amend paragraph (d) of Subsection 7(3) of the Act to permit disclosures in several new situations including where:
(d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;
These amendments were recommended during the statutory review of PIPEDA. Recommendation 6 of the report stated:
The Committee recommends that PIPEDA be amended to replace the “investigative bodies” designation process with a definition of “investigation” similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose.
The Government response to the recommendation was to agree that the recommendation had merit and that it would “give further consideration the issue of how best to streamline the Act’s provisions in respect of private sector investigative activity”.
This amendment is an important one. Its purpose was explained by Conservative MP Chery Gallant who, in a statement in the House of Common, also responded to criticisms of the amendment by Michael Geist and others:
Let us now address any misunderstanding by individuals who have not read our legislation, particularly when things are read into this bill that clearly do not exist, such as claims that this bill expands warrantless disclosure
When all parties in this House agreed to enact PIPEDA over a decade ago, we recognized that there were certain limited circumstances where an individual’s right to privacy should be balanced to assist the public interest. For example, PIPEDA ensures that the right to freedom of expression is respected by allowing for information to be collected and used for journalistic or artistic purposes. Another example is that PIPEDA allows people to freely share information with their lawyer, even if it includes the personal information of another individual, to ensure the proper administration of justice.
PIPEDA allows private sector organizations to disclose individuals’ personal information in order to conduct investigations that help protect Canadians from wrongdoing. This provision has always existed within PIPEDA. Bill S-4 does not expand this practice. Rather, our legislation would place tight rules and strict limits on when and how private organizations could share Canadians’ personal information.
I would like to emphasize to the House the role of private organizations and how they can play an important role in creating a safe and secure society for Canadians. Consider, for example, self-regulating professional associations, like the College of Physicians and Surgeons of Ontario, the Law Society of Alberta, or the Association of Professional Engineers of Nova Scotia. These bodies have the legal authority to investigate their members and take disciplinary action where required. This may be because a physician is performing procedures that he or she is not qualified to perform; it may be because a lawyer is charging inappropriate fees to clients; or, it may be because an engineer is approving the drawings for a new building without actually reviewing them.
It is not difficult to see there is a real public interest in making sure that these professional associations have the ability to investigate complaints against their members and to ensure they are meeting high professional standards that benefit Canadian society. In order to do so, investigators must be able to obtain personal information that is protected under PIPEDA. For example, when investigating a complaint against a lawyer, the law society may request that the lawyer’s firm provides access to his or her client lists, financial records, or calendar. All of these records could include personal information which normally could not be disclosed to investigators without the individual’s consent.
Under PIPEDA as it now stands, investigators who want to access personal information without consent must be listed as an investigative body by Industry Canada. This involves coming forward to the department and justifying the need to access the information. This is an onerous process for organizations and for the government. For example, a simple name change by an investigative organization may lead to a year-long regulatory process before the change is reflected in the law.
During the first statutory review of PIPEDA, the House of Commons committee recommended that PIPEDA be amended to change the rules for private investigations and adopt a system that is consistent with both Alberta and British Columbia. Under these regimes, there is a general exception to consent for information sharing purposes of private sector investigations.
In essence, these provincial laws regulate the activity of private investigations rather than the organizations who conduct them. Bill S-4 would introduce similar rules to those that already exist in Alberta and British Columbia. By placing tight rules and stricter limits on when and how private organizations can share a Canadian’s personal information, our government is complying with the recommendations made by the all-party committee.
Upon Bill S-4 being enacted, private organizations would be required to abide by four strict rules when sharing a Canadian’s private information for the purposes of an investigation. It is important for Canadians to appreciate that despite these rules, private organization information sharing is voluntary. These rules only apply in the event that an organization agrees to disclose information for the purposes of an investigation. These rules are as follows:
First, the information can only be provided to another private organization, not the government and not law enforcement. Second, the information that is requested must be relevant to the investigation. For example, there is little reason that a social insurance number would be released for the purposes of investigating professional misconduct. Third, the investigation must pertain to a contravention of the law or breach of a contract. Finally, it must be reasonable to believe that seeking the consent of the individual to disclose the information would compromise the investigation.
To be clear, organizations that share information would continue to be subject to all other requirements of PIPEDA. The Privacy Commissioner and the Federal Court will continue to have oversight on this matter, and if an organization is found to be using the exemption provisions where it is not necessary, action would be taken by the commissioner or by the court.
While the new exception is helpful, it does not fully address needs of organizations to share information to combat the escalating arms race against cybercrime. Cyber-criminals are using very sophisticated ways of hacking into corporate and government networks and computer systems that store vast amounts of personal information about individual Canadians. Often, one organization discovers the breach and needs to inform other organizations about the breach so that it can be investigated and closed down and so that individuals can be notified to protect themselves. The importance of information sharing to combat cybercrime is recognized in Bill S-4 which, as noticed above, requires an organization that has given individuals notice to notify other organizations if that would reduce or mitigate the risk of harm. The policy to dispense with consents in the face of security threats was also recently recognized by Industry Canada in Section 6(a) the IC CASL Regulations. However, there is no right under Bill S-4 to disclose personal information directly to other organizations when a breach is discovered. Further, while many security breaches would be a breach of a Federal law, some might not be and getting legal opinions in the face of an urgent need to act to protect individuals’ personal information may not always be feasible.
One of the most powerful tools the Commissioner has to incent compliance with PIPEDA is the power to “name and shame”. With certain exceptions, information provided to the Commissioner must not be disclosed to others. As the Act now stands, there is an exception which permits disclosure of confidential information “in the public interest” of the information management practices of an organization. Bill S-4 would expand the disclosure right to make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties or powers as well as information in security breach notifications to the Commissioner. (s.20)
While the power to “name and shame” is an important one, it should not be unlimited. The Commissioner has extensive investigatory powers under Section 12 of the Act. In the course of investigations, organizations frequently also voluntarily disclose extensive information to the Commissioner. Some of the information may be very sensitive information such as security processes used to protect personal information and trade secrets or financial information. Organizations being investigated may well have concerns about disclosing information to the Commissioner because of the possibilities it could be made public. This could reduce the willingness of organizations to cooperate with the Commissioner, something which under the current regime works relatively well. The information may also be subject to duties to third parties or be subject to a request from law enforcement to keep the information confidential. This could also reduce the willingness of organizations to cooperate with the Commissioner.