:
Good morning, ladies and gentlemen.
Bonjour à tous. Welcome to the 39th Meeting of the Standing Committee on Industry, Science and Technology.
Again we have witnesses here in regard to Bill
From Borden Ladner Gervais, we have Éloïse Gratton. Welcome.
From the Canadian Life and Health Insurance Association, we have Frank Zinatelli, vice-president and general counsel; and Anny Duval.
From the Credit Union Central of Canada, we have Marc-André Pigeon, director of financial sector policy; and Rob Martin, senior policy adviser.
From the Insurance Bureau of Canada, there is Randy J. Bundus, senior vice-president, legal and general counsel; Madalina Murariu, acting manager, federal affairs; and Richard Dubin, vice-president, investigative services.
We will begin with the opening statements in order.
I think you've been advised that you have five to six minutes for your opening statements.
Madame Gratton, please begin.
:
Thank you very much for providing me with the opportunity to speak to you today.
My name is Éloïse Gratton. I am a partner at Borden Ladner Gervais. I also teach a privacy law course at the University of Montreal law faculty.
I've been practising in the field of privacy law for over 15 years and I represent a range of clients, mostly private sector businesses from various industries. I appear today in a personal capacity, representing only my own views and not the views of my firm or its clients.
My time is limited, so I'm going to first mention two provisions in Bill that have my support, and then two that raise concerns.
I offer my support to two important provisions in the bill: mandatory breach notification and business transaction exception.
I have concerns with two provisions in Bill , the first one being the clarification on valid consent. I know that many have appeared before me to discuss Bill S-4 and they have expressed their approval of the proposed amendment to clarify the requirements for valid consent.
Yes, in theory, not many people would logically object to having more stringent provisions governing valid consent; still, I have a few concerns with this proposal.
PIPEDA currently requires that consent be reasonably understandable by the individual. The questions that should be asked are: do we have a concern with this consent requirement, and if so, will the proposed amendment address such concerns?
If the proposed amendment is accepted, the message sent to organizations is that the way they used to get consent may no longer be valid and that perhaps they should be taking additional steps.
PIPEDA is based on a “notice and choice” model that may prove to be a real challenge in 2015. In my recent book Understanding Personal Information, I have a chapter dealing with the challenges with this notice and choice approach. I was raising that in our day and age, it is debatable whether this model still makes sense and is a realistic one. Very busy individuals with limited time are expected to review, understand, and agree to various different—sometimes online—terms of use agreements, and keep up with new technologies and business models constantly evolving.
We have also already begun witnessing how consent forms are now requiring a few additional clicks to ensure that express consent is obtained in compliance with the new Canadian anti-spam law, since under this law certain information has to be brought to the attention of the user separate and apart from the standard terms of use agreement. I am mostly concerned that this type of amendment will be translated by organizations including additional verbiage in their already very long privacy statements and by requiring more clicks from users already overloaded with information.
I also have some reservations about the two new proposed paragraphs 7(3)(d.1) and (d.2), which would allow an organization to disclose personal information to another organization without consent in certain circumstances, although I understand in some situations the necessity for this proposal.
A few files have landed on my desk over the last few years in which this type of provision would have come in handy. One example worth noting was the case of Stevens v. SNF Maritime Metal. It's a case that ended up in the Federal Court in 2010. This was the case of SNF, a company purchasing scrap metal from another company. That company's employee, Mr. Stevens, opened a personal account with SNF and started selling a high volume of scrap metal to them. SNF disclosed the fact to his employer, who was already suspecting that someone was stealing scrap metal from them. The company realized that its employee was indeed stealing from them. They fired him and the employee then sued SNF for breach of his privacy.
Although SNF was probably right to disclose this information to its client, it was nonetheless a technical breach of PIPEDA, since they had disclosed personal information about Stevens, the fraudulent employee, to its employee and their business partner without his prior consent.
The bottom line is that I agree that we need to have a provision authorizing the disclosure of personal information without consent to address these types of situations. Still, given the way the proposed provision is drafted, I am concerned that the amendments could lead to excessive disclosures, used for broad purposes justified under the investigation of a breach of an agreement provision, or the purposes of detecting fraud provision. These disclosures would further be invisible to both the individuals concerned and to the Office of the Privacy Commissioner.
If we could find a way to minimize the risk of over-disclosing, while including a provision under which companies disclosing in such a situation would have to be transparent about these disclosures, I would offer my support to this type of amendment.
Thank you. I welcome your questions.
:
We will both be making a presentation, Mr. Chair.
My name is Frank Zinatelli. I'm vice-president and general counsel with the Canadian Life and Health Insurance Association. I'm accompanied today by my colleague Anny Duval, who is counsel with the CLHIA.
The CLHIA represents life and health insurance companies, accounting for 99% of the life and health insurance in force across Canada. The Canadian life and health insurance industry provides products that include individual life and group life, disability insurance, supplementary health insurance, individual and group annuities, including RRSPs, RRIFs, TFSAs, and pensions.
The industry protects almost 28 million Canadians and about 45 million people internationally. The industry makes benefit payments to Canadians of $76 billion a year, has $647 billion invested in Canada's economy, and provides employment to over 150,000 Canadians.
We welcome this opportunity to appear before the committee as it reviews Bill , which makes important amendments to the Personal Information Protection and Electronic Documents Act.
For over 100 years, Canada's life and health insurers have been handling the personal information of Canadians. Protecting personal information has been long recognized by the industry as an absolutely necessary condition for maintaining access to such information. Accordingly over the years, life and health insurers have taken a leadership role in developing standards and practices for the proper stewardship of personal information.
For example, in 1980 we developed right to privacy guidelines that represented the first privacy code to be adopted by any industry group in Canada. Since then, the life and health insurance industry has participated actively in the development of personal information protection rules across Canada, starting with Quebec's private sector privacy legislation in 1994, the development of PIPEDA, Alberta's and B.C.'s personal information protections acts in the early 2000s, and health information legislation in various provinces.
The industry's overarching theme is to achieve harmonization in the treatment of personal information across Canada as much as possible. The operations of life and health insurers are national in scope, and many common day-to-day transactions may involve interprovincial collection use and disclosure of personal information. Thus, the coordination or harmonization of the provisions of PIPEDA with privacy legislation at the provincial level is very important to avoid unproductive duplication and confusion for consumers, organizations, and regulators alike.
With harmonization in mind, let me turn now to Bill , the digital privacy act. The industry is generally supportive of the bill, as it contains some needed updates that move PIPEDA to be more consistent with other private sector privacy legislation in the country.
For example, B.C. and Alberta deal with the use of information without consent of the individual more effectively than is now the case in PIPEDA. In this regard, the industry strongly supports those amendments to section 7 of PIPEDA, particularly proposed paragraph 7(3)(d.2), which would help industry efforts to detect, deter, and minimize fraud. The impact of fraudulent and deceptive conduct on insurance and other financial services can be extremely costly and damaging.
The industry efforts to control the incidence of fraud are not in conflict with our protection of personal information, but we note that there's a gap in the current legislation that restricts the ability of organizations to disclose information without consent of the individual for the purpose of conducting an investigation into a breach of an agreement or of a law of Canada.
While it is industry practice to obtain consent, there exist clear instances where this cannot be done—for example, where the suspected perpetrator is a third party that is not directly involved with the insurance contract, such as a service provider to a member of a group benefit plan.
In some instances, obtaining consent makes no sense. For example, this latter situation is contemplated in a note to principle 3 of the CSA model code for the protection of personal information, which forms part of PIPEDA:
When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information.
For these reasons, we support Bill amendments to section 7 of PIPEDA, which more clearly set out when personal information can be collected, used, and disclosed during an investigation.
This will allow all parties to more clearly understand the range of acceptable circumstances when there is an exception to consent and will have the additional advantage of being harmonized with the approach used in both the Alberta and B.C. PIPA.
:
Finally, Chairman, we would like to touch on a provision that has already received a lot of attention by other witnesses: proposed PIPEDA section 6.1, in clause 5 of the bill, describing when consent is valid.
We believe a clear and consistent understanding of consent for the purposes of privacy legislation has developed across Canada during the last decade or so. We are concerned, therefore, that the attempt at clarification may well create more confusion than fulfill the purpose for which it was created. We understand that this amendment is aimed at supplementing the test for informed consent in the context of, for example, minors in their online interactions. But proposed section 6.1 is not limited to the areas of concern expressed. Without clarification in the bill, in regulations, or by some other formal means, it raises questions for organizations as to what is expected of them and how it would be applied and interpreted. We suggest that such clarification is necessary and can be achieved through guidelines or regulations.
Chairman, the goal of our industry is to improve the workability of personal information privacy rules by promoting the adoption of provisions that are practical, predictable, and harmonized across the country as much as possible.
The industry greatly appreciates this opportunity to participate in the committee's review of Bill S-4. We would be pleased to answer any questions you may have.
Thank you.
I also thank the committee for the opportunity to share with you our thoughts on Bill .
Before addressing our views on this bill, I would like to begin by making a few preliminary remarks regarding the role of my organization, Credit Union Central of Canada, and more generally, the credit union system in Canada.
[English]
Canadian Central is the national trade association for its owners, the provincial credit union centrals. Through them, we provide services to about 315 affiliated credit unions across the country.
As you may know, credit unions represent an important part of the Canadian economy. We have about 1,700 credit union branches that serve 5.3 million Canadians. We have $170 billion in assets and 27,000 employees.
Credit unions in Canada come in all shapes and sizes. It's important to understand that some of our smallest credit unions have less than $10 million in assets, one full-time employee, and one part-time employee. Our biggest credit unions have $20 billion in assets and literally thousands of employees. So there's a lot of disparity or gap there. Regardless of size, however, as member-owned and controlled institutions we believe we have an inherent responsibility to be open and accessible while, at the same time, demonstrating the greatest respect for the protection of our members' privacy.
The Credit Union Code for the Protection of Personal lnformation, adopted by credit unions in advance of the 2004 compliance deadline, really speaks to the system's long-standing commitment to member privacy. In fact, well before it was required or fashionable, this code reflected the credit union system's commitment to protect member privacy by proactively implementing consent requirements for the use of personal information. This commitment to member privacy is enhanced through employee training programs, strong internal policies and procedures, and member awareness programs.
In general, we think Bill does a lot of things right. We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse. However, we think this measure could be refined somewhat by making it possible to disclose suspected abuse to a member of the individual's family. Research has shown that often, in the case of elder abuse especially, the next of kin are the abuser. We think a little stretch would help with that situation.
We are especially encouraged by attention to this important public policy issue because the credit union system has taken a bit of a lead on this issue of elder abuse. We've designed a course for front-line credit union employees on financial elder abuse detection and prevention and recently made an announcement to that effect with Minister Wong in Winnipeg. We also like Bill because it does a lot to reduce some of the regulatory burden that results from the current framework.
To give you an example, we are supportive of the proposal that would make it less difficult for institutions to share information when they're in merger discussions. As you may know, the credit union system is rapidly consolidating, so this is a welcome development. Similarly, we support the proposed amendments that permit the sharing of information between organizations for the purposes of fraud prevention. This too will reduce the administrative burden associated with some of the activities of Canadian Central, my organization's Credit Union Office for Crime Prevention and Investigation.
We note, however, that as drafted, the information sharing between financial institutions appears to be limited to the detection and suppression of fraud. We would recommend that financial institutions be allowed to share information related to criminal activity to cover the broader range of activities that we want to capture: bank robberies, ATM breaches, and that kind of thing. We also have some concerns about provisions that may increase regulatory burden.
Specifically, the legislation proposes requirements that would compel financial institutions to keep records of all data breaches. As you know, the reporting requirements say that breaches must be divulged when they pose a real risk of significant harm to individuals. We're not clear why it is necessary to impose record-keeping requirements that are not aligned with this reporting test. The usefulness in recording incidents that do not meet the significant harm reporting threshold is not readily apparent to us. We would recommend aligning the record-keeping requirement with the proposed reporting requirements. We also question the proposed potential penalty of $100,000 for non-compliance with this new record-keeping requirement. While this may not be a material amount to some of our larger competitors, you can imagine the impact of a fine like this on a small credit union with $10 million in assets and whose profits are well under $1 million. This could really harm the credit union. We'd recommend that the fines be geared to the size of the institution.
To help put these concerns in context, just to give you a sense of why these large and small institution issues matter to us, we did a study back in 2013 on regulatory burden. We found that small credit unions, those with fewer than 23 employees, devote fully one-fifth of their staff time to regulatory administration. It's a huge burden for our smaller institutions. Our bigger institutions devote only 4%, and keep in mind that our biggest institutions are many times smaller than the biggest banks out there.
The unintended consequence of a lot of the regulations that get imposed on the credit union system is that they inadvertently create a competitive advantage for larger institutions, and that's a concern for us. In fact, we raised that concern with the finance committee here at the House of Commons, and they agreed. They said that “the government should examine means by which credit unions and caisse populaires could be on a level playing field with Canada’s large financial institutions”. We think there are a couple of areas in this proposed legislation that could be tweaked to address that concern.
To conclude, we want to thank the committee for this opportunity to share our thoughts on Bill . We applaud the government for some important and positive changes, especially around information sharing to prevent financial abuse of seniors and to reduce administrative burden.
That said, we would recommend adjusting the bill to allow financial institutions to share information related to criminal activity in order to cover crimes such as bank robberies, ATM compromises, and so on. We are also recommending that the bill be modified to make it possible to disclose suspected abuse to a member of the individual's family, not just next of kin. Finally, we would just ask that the government continue to be sensitive to the needs of smaller financial institutions by, for example, aligning record-keeping with record-reporting requirements and making fines for non-compliance proportional to the size of the institution.
We want to thank the committee again for our opportunity to share these perspectives, and we look forward to your questions. Thank you.
:
I'm glad as well, Mr. Chair. Thank you.
My name is Randy Bundus, and I am senior vice-president, legal and general counsel, with lnsurance Bureau of Canada. I am joined by my colleagues Maddy Murariu, with IBC government relations, and Rick Dubin, with IBC's investigative services. We are pleased to be here today.
IBC is the national industry association representing over 90% of private home, car, and business insurers in Canada. My remarks will focus on how Bill will affect my industry's ability to continue to combat insurance crime, which includes fraud and auto theft.
Insurance crime is big business in Canada. A recent Ontario government task force estimated that in that province auto insurance fraud alone costs up to $1.6 billion yearly. Insurance crime costs everyone in higher premiums and increased costs to our legal and medical systems.
Our industry works hard to suppress and prevent insurance crime through early detection, and also works hard to protect our customers' privacy. Insurers know that they must safeguard customers' personal information or risk losing business.
There are different types of insurance crime. It can be opportunistic. For example, a driver hits a guardrail and then invites a friend, a “jump-in”, to falsely state that he was also in the vehicle and suffered an injury for which he then claims compensation. Opportunistic claims are handled by insurers, but PIPEDA does not allow one insurer to verify facts by reaching out directly to another insurer that might also have been victimized by the suspected fraudulent incident.
Insurance crime can also be premeditated and organized. Large crime rings stage collisions that involve fraudulent injury claimants and others such as auto body shops and medical rehabilitation clinics. A crime ring can generate several million dollars in fraudulent claims.
IBC's investigative services, or ISD, was the first designated investigative body under PIPEDA, and it plays a critical role in the investigation of organized insurance crime. ISD is uniquely positioned to investigate organized insurance crime that involves multiple insurers, multiple claims, and multiple claimants. An example of this is the case of a police officer in Peel Region who was convicted in February on 42 counts, including 21 counts of fraud. This officer falsely reported nine collisions and, as a result, 14 insurers paid out almost $1 million in false claims to 69 participants.
ISD begins an investigation as a result of being made aware of an anomaly in an insurance claim. Information triggering an investigation may come from an insurer, a victim, law enforcement, or a tip from an informant. ISD then acts as a case file manager, coordinating investigations and identifying linkages between parties that are then submitted to regulators and other enforcement agencies. Individual insurance companies are not well positioned to handle organized crime on this scale.
This brings me to Bill . We support the proposal in Bill S-4 to repeal the sections in PIPEDA that create investigative bodies and instead allow for an organization to disclose information to another organization in limited circumstances. These circumstances, as set out in Bill S-4, are to investigate a breach of an agreement or contravention of a law of Canada, and to detect, prevent, or suppress fraud.
My industry's experience under PIPEDA in investigating and detecting insurance crime has been of mixed success. While IBC's investigative services have been successful in combatting large, organized insurance crime, that has not always been the case for insurers in handling the opportunistic fraud. This is because many of the insurers are not able to disclose to each other information about suspected insurance crimes.
The proposed changes in Bill would help investigations into opportunistic or one-off insurance crimes involving only two claimants with two insurers, such as the jump-in example I gave earlier. Bill S-4 would allow insurers to disclose, in those very limited circumstances, when it is reasonable to do so, information to another insurer without the involvement of an investigative body.
An insurer could also disclose that information, in the same very restricted circumstances, to an organization such as ISD in the investigation of insurance fraud. In our view, this new process would be efficient and effective in detecting, preventing, and suppressing fraud, while still being respectful of privacy rights. Under Bill , ISD could continue to function as a case file manager for organized insurance crime.
In our written comments to this committee, we address a number of other important issues in Bill , including some minor wording changes to ensure consistency among the provisions allowing for responsible fraud investigations. We would be pleased to discuss these matters with this committee or with Industry Canada officials.
Thank you for your attention. I'd be happy to take any questions.
:
I think the best way is to give a very brief scenario and show you why we support this.
Here's a scenario that we've run into several times. We have a left-turn situation in front of what seems to be an innocent vehicle. The other vehicle turns in front, and there's a collision. There is not significant damage, just bumper damage to the front of this so-called innocent vehicle. The driver says there are three occupants in the vehicle. In reality—and this is what we're going to get to, these are what we call jump-ins—they weren't in the vehicle at the time the collision took place.
Keeping in mind that the vehicle making the left turn is usually presumed to be at fault, the adjuster now receives this claim and does what we call a Carfax or AutoPlus report, where they're looking into a general history of the driver and vehicle that they insure, and he would contact IBC. They'd find out from that information that this driver and the vehicle were involved in a previous collision. It does identify the other insurer as well in those public reports. What that information has that they're not able to get to yet is that the other insurer also had a left-turn situation with multiple occupants in this vehicle.
Now, this accident happened late at night in a quiet neighbourhood, obviously at an intersection, and there were no witnesses. All three occupants were claiming soft tissue injury, but they didn't report it at the scene of the accident so the police didn't attend.
Under the current law, the adjuster obviously can't contact the other insurer to find out the facts of the other collision, so they're in the dark at this point. In the meantime, the claim starts getting paid and the occupants receive weekly income disability payments. They attend rehab facilities for extensive treatment, all of them usually receiving the same type of extensive treatment of physiotherapy, massage therapy, or chiropractic. At the same time that these bills are building up, the body shop is now doing the repairs to a vehicle that could very well have been previously repaired in the other accident.
It's reported to IBC at this point by the insurer just to let us know that they have some concerns, but the other party looks at fault. They can't contact the other insurer, so they start payments.
We support the bill because if the bill were passed, it would allow the insurer of this vehicle to contact the other insurer. They would find out some of the scenarios, that the same scenario existed with the same service suppliers: they used the same rehab facility, the same body shop, everything was virtually the same. This accident even took place in the same area.
What I'm getting into is an identified social network. It creates linkages among the possible participants in the suspected fraud, but because they couldn't contact the other insurer, because they didn't want to be found to be in bad faith, they started payment. They would have informed IBC, and we would get to it at some point.
The problem that exists here is that by the insurer contacting the other insurer immediately when they had these red flags coming up, they could quickly ascertain that this is a very suspicious situation, and they're in a position to at least stop payment and deny the claimant, stop the bleeding. With the way things stand right now, because they don't want to be accused of bad faith, they start payments right away.
Finally, just to give you an idea of how serious this is in the province of Ontario, the Insurance Bureau of Canada has the statistics that the average accident benefits payment per person in Ontario is $31,785. This is the staged collision capital of Canada, right here in the GTA. The average in Atlantic Canada for accident benefits is $8,668, and in Alberta it's $3,766.
A major problem that exists here is the identity theft we're seeing with service suppliers. That's a key reason these individuals get these accident benefits forms submitted to the insurers; there's a lot of forgery going on.
:
Actually, no, and I have to say that this is a concern. If an injury is not reported at the scene of an accident...and these individuals intentionally do not report, in a lot of cases, at the scene of the accident and will go to a collision reporting centre afterward. At that point in time there will be a report taken.
The insurers have access to that report, but again, it's very limited information. All it's basically going to say is a left-turn situation. They probably charge the driver doing the left-turn situation that was staging this collision intentionally. It would just show the fact that the other driver drove into them. That's all they're going to have.
Actually, at the time, initially after the accident, they won't even have the names or facts of occupants, because the police didn't attend the scene of the accident. They've got up to 24 hours for these occupants to show up, let's say at a collision reporting centre, and claim that they were involved in an accident. In a lot of cases they don't even bother, and the next thing you know they've hired counsel and put the insurer on notice.
:
Well, I think the example I gave is.... The insurance industry is quite well trained in terms of first contact and the type of information they need to receive. They're just going to start acquiring what I gave you in terms of certain information: the time of the accident, where it took place, how many occupants, the nature of the damage, how soon was the tow truck driver there, did somebody recommend the body shop, how much damage was there to your vehicle, where were you going at the time, where were you coming from, how do you know these individuals, things like that.
They're going to start developing certain red flags. Based on those red flags, it doesn't mean that there's fraud; it means that it requires further investigation. This is the point that a prudent individual, having reasonable grounds, such as what I suggested, should be contacting the other insurer and saying, “What's happening here?”
In terms of another problem that exists, in 2014 IBC investigated on an ongoing basis 52 rings. A ring investigation usually involves at least 20 to 50 suspected staged collisions that we have to investigate. On top of that, we took 14 new ones. Even though the insurer reports it to us, we can't take these claims right away. They're going to sit until we can get to them, and unfortunately these payments are continuing all the way through. By the insurer being able to contact the other party, they would be able to stop the payment at this point in time.
Welcome to our witnesses. Thank you for appearing today.
I'd like to begin with Mr. Pigeon and Mr. Martin on the credit union side.
You spoke about elder abuse and fraud. You suggested, in your opening comments, that we're doing some things right with Bill I wonder if you could expand on it. You say in here that the measure could be refined, however, by making it possible to disclose suspected abuse to a member of the individual's family, and that research has shown that often, in the case of elder abuse, the next of kin is the abuser. You also talk about CUSOURCE as a training program, or you've taken some of your solutions and are applying them to day-to-day operations.
I wonder if you could talk about Bill and how this is making it more feasible to track elder abuse. What are you doing through CUSOURCE to make it work?
:
I'd like to highlight four of them. It's not that we would say, “Stop the bill and make these happen”, but in our mind, they would make for a better bill.
For example, in paragraph 7(1)(b), which is collect without consent in certain circumstances, we would also like to have a reference to collecting for the purpose of detecting, preventing, and suppressing fraud. We have the right to disclose for that purpose. Just to balance it out, having the right to collect would sort of be the other bookend to that.
We would also propose a small change to proposed paragraph 7(3)(d.2), and that's in the written submission we gave. It's to make sure we really have the ability to conduct those fraud analytics in a way that was recommended by the Ontario fraud task force.
A third change is with respect to proposed paragraph 7(3)(c.1). This is the provision that says you don't have to give access when someone makes an access request in certain circumstances. There's a reference in proposed paragraph 7(3)(c.1) to no access. We want to make sure there should be no access if the information is collected as part of the work product. We've added that work product aspect to the bill if we're able to collect information as part of a work product.
For example, insurers have claims files, adjusters have claims files, and we collect personal information in those claims files. In those claims files is also the reserve amount that has been set for that particular claim. It would be quite inappropriate in our mind to have to release the amount of that reserve amount for a particular claim via a PIPEDA request at the request of the person who is at the other side of the transaction. We would like to have that fixed if we could.
The fourth item is with respect to paragraph 9(3)(a). An amendment has been made already under Bill . We suggest in addition to having solicitor-client privilege, that litigation privilege also be a basis for that.
I would not stop the bill from being passed, but just have those changes. It would be a better world.
:
We have a concern where the breach might be of a minor nature but it would still be subject to very serious penalties, as was being referred to earlier. Including those as part of the requirement for record-keeping would be inappropriate.
I mean, think of an example where you step away from your computer, and a colleague from another department who doesn't have access might come to visit and see something on your screen for a second. They see some piece of personal information. Technically that could be a breach. It would be subject to putting it on the list and, if you don't do it, it could be subject to the penalties.
I think there are examples like that, very minor in nature, where we could clarify that those kinds of things are not covered. That can be done, as we suggested earlier, by regulations, by guidelines, or some other means.
I like the risk-based approach so that if we're talking about a real risk of significant harm, then those should definitely go on the list. What should go beyond that on the list is something I think should be discussed and clarified in a guideline or in regulations.
Even following the change in legislation being proposed here, we will most likely keep our office open, but in a more informal way.
Currently this imposes a regulatory burden because we have to meet certain criteria. People who work on this have to qualify. There has to be an investigation in the institution.
This will reduce our burden somewhat. We will probably keep the association, but implementing the changes proposed here will mean that the work will be less demanding in regulatory terms. It is a good thing for us.
As I said in the beginning, in situations where we have to compete with banks, we have to reduce our costs in every possible way; it is really important that we remain competitive.
Thank you to the witnesses.
I'd first like to provide a brief history of how we are where we are, and then ask for general comment from each of you on whether you support Bill going ahead or not going ahead. Then I will have some specific questions.
PIPEDA was passed in 2000. It came into force in 2001 to 2004, I believe. We can make changes to legislation in Parliament by legislation or by regulation. If it is by regulation, you regulate changes to existing legislation. It is also very common, and often required, that legislation be reviewed every five years. PIPEDA was reviewed in 2006-07, and some of you were involved in making recommendations as witnesses or by presenting submissions. The responsibility of the government is to listen to those and try to create a balance. Any legislative change is not going to get support from everyone for everything, because there are opposing ideas. But in general, I think, our government has reached that balance, and most of the witnesses from whom we have heard want Bill to go ahead.
We are about eight weeks away from this Parliament ending, and you may be the last group of witnesses that we hear from before we start dealing with the bill and working as a committee to see if we have any amendments. If there are amendments to this bill, given that there are only eight weeks left, it would be just about impossible, in my opinion, for Bill to move ahead, because it would then have to go back to the Senate.
I think I have heard general support for the bill going ahead.
Mr. Bundus, I think you said you don't want to stop it with these amendments; you want it to move forward.
I think, sir, you noted that changes could be made by regulation, which they can, if there are additional changes that need to be made.
Perhaps you could make a quick comment: do you support Bill moving ahead as it is now, or do you not support it moving ahead?
Maybe I could start with the Credit Union Central of Canada.
To the credit union, you mentioned the $100,000 penalty for non-compliance. As with in the Criminal Code, if there's a crime, a criminal offence, there are maximums. Rarely are there minimums, but in some cases there are. In this case, it's a maximum that could be fined, a penalty, and it would be up to the commissioner to decide whether or not that is appropriate. So the commissioner has the discretion to provide an appropriate penalty, but $100,000 would be the maximum.
Do you have a similar understanding?
:
The principle of insurance is that we all share in the expense of a loss. When everybody puts money into the bucket, if some small group of people experience a loss that year, we all share in that loss. The principles are that you do not gain, you do not benefit, other than being as best as possible being put back to the position before the loss, but you don't gain.
You're saying people who have not experienced a loss are gaining from that at everybody's expense. It makes everybody's insurance much more expensive when you have corruption. Most of the people who are in the investigative portion of your business, in my understanding, have police backgrounds, a large percentage of them, so they understand how the whole system works.
You also have houses involved. You've given examples of cars, but you could have fraudulent burning down of a house, or a loss of personal property, or even a car being burned because it's going to cost too much to fix the transmission, so now they can get $2,000 for the car that really was worthless.
There are many different ways. For houses, is this also a problem, where you can be tracking these losses to make sure that we're not all paying for fraudulent claims?
Thank you to all the witnesses for your testimony.
I must say, before I ask my questions, that because PIPEDA was passed in 2006, the review was to have been completed by 2011. So while I hear my colleagues commenting that we can't improve this bill because we're running out of time, frankly it reminds me of one of my three sons saying, “I don't have time to clean my room right now or I'm going to be late for school” when he had all weekend to clean his room.
The government has had four years. This review should have been completed four years ago, and the fact we're getting these amendments now at the industry committee, after they have already gone through the Senate, is frankly a bit of brinksmanship. So I would encourage the witnesses to keep an open mind that while, of course, we want to modernize this law, and we want to address the concerns people have, we also want to have a good law, and we should take the opportunity to try to address the concerns that witnesses, yourselves and others, have brought to us.
One of the concerns that has been raised—I'd like to put this to all of the witnesses—was that this bill does not comply with the Supreme Court Spencer decision, and therefore we need to update our legislation, and other jurisdictions will need to address this as well. I'd like to get your thoughts on that. Do any of you have concerns that this doesn't adequately protect privacy in light of the Spencer decision, or is it something that you feel your legal counsel says is not going to impact your interpretation of how this law would be viewed?
Who would like to start? Mr. Bundus.
I'm in the same position I was last week, when many of the questions I would have had were already answered.
I was struck by listening to the testimony today. You go through so many of the different areas that we've talked about, and we've heard witnesses say one thing to one extent and then different witnesses at a different time have said something completely on the other side of an issue and suggested that we move in a different direction.
I remember one witness in a previous meeting talking about the importance of getting this right, and I noticed that phrasing was in the Credit Union's opening statement saying that in this case they thought Bill does get it right, or gets a lot of things right.
On consent, for example, we've heard arguments that we should go in one direction or another. We've heard that with breaches: people saying it goes too far; people saying it doesn't go far enough. On information sharing now we're hearing the same thing.
Ms. Gratton, in your comments it was interesting, because I think your opening statement captured that balance, and the question of balance that we're trying to strike. It sounds like you think the legislation needs to go forward—you said that in questioning—but at the same time you have some questions. They're not necessarily declarative statements that this is what's going to happen down the road, but you asked whether we can find ways to avoid “over-disclosing”.
As this legislation hopefully passes and moves forward, what you are going to be watching for over the next few years in terms of the execution of this? We've heard, for example, on that issue, that in Alberta and B.C. there haven't been issues with that. Someone said that it's different circumstances with the federal legislation.
:
Well, we're certainly paying attention to the amendment. We're scratching our heads a little bit as to what exactly it means. I have been asked the question by a variety of my clients. We represent more than 99% of the life and health insurance industry, and many of the legal folks within that industry have come to me and said, “What does that mean that we have to do, technically?” That's technically in the sense of “On the ground, what am I supposed to do to ensure that this kind of understanding is there?”
As well, what's the difference from the rules now? Again, I think there's been a sense of knowing what you at least have to disclose to the consumer: what is the change going to be? I've certainly been asked the question, and I don't know what the answer is. That is why, in our opening statement, we said that we need to have that discussion with the folks at the department, with the folks at the OPC, whom I saw supported this. Obviously, the department supports it because they put it in, and the OPC was a witness indicating that.
I think we'll need their help with the provision, because we're a compliance-driven industry and we want to comply.
Thank you to the witnesses. Again, thank you for your persistence in getting here and your very wise counsel to us regarding this bill.
Colleagues, I understand there have been conversations in regard to amendments. There's a principle in that an amendment is the same as a motion. If it's presented to the clerk, it's considered confidential until it's moved in the committee. If you'd like to share amendments—I understand that is a desire—and if that's agreed upon, I need unanimous consent to have the clerk proceed in that fashion.
Do I have consent on that?
Some hon. members: Agreed.
The Chair: I see it's agreed 100%.
Please make sure that, if you have any amendments, they are given to the clerk by April 9. That way we'll be able to translate and distribute them amongst the members.
An hon. member: Is that a Thursday?
The Chair: Yes. We added a couple of extra days there. That will give the clerk ample time to get them out before we get back.
Our next meeting will be April 21, when we'll be going clause-by-clause. We will not be having a meeting next Tuesday.
Thank you very much, colleagues. We're adjourned.