Mr. Speaker, I am pleased to rise in my place today to speak to Bill S-4, the digital privacy act.
Last year our government launched digital Canada 150, an ambitious plan for Canadians to take advantage of the opportunities of this digital age. It is a broad-based ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and to connect Canadians to each other. As the digital economy grows, individual Canadians must have confidence that their personal information will be protected. That is why under digital Canada 150, one of the five pillars is known as “protecting Canadians”.
The digital privacy act would provide important and long awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA. PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities while also setting guidelines for the collection, use and disclosure of personal information.
These rules are based on a set of principles developed jointly by government, industry groups and consumer representatives. The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, the amendments would clarify rules for businesses and reduce red tape.
These guidelines would ensure that vital information is available to Canadian businesses so that they have the necessary tools to thrive in a global economy. Balancing individual expectations for privacy and the need for businesses to access and use personal information in their day-to-day operations is important. Bill S-4 gets this right. It assures individuals that no matter the transaction, their personal information will continue to be protected under Canadian law.
The need to update the rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements. The bill before us does exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The Privacy Commissioner will also be notified.
An organization that deliberately covers up a data breach or intentionally fails to notify individuals and report to the commissioner could face significant fines as a result.
Let me now take a minute to point out some of the ways in which the bill before us creates an effective streamlined regime for reporting data breaches. The digital privacy act establishes a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach.
If a business determines that the data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and the Privacy Commissioner.
If the organization determines that the data breach does not pose a risk of significant harm, that is, its data security safeguards were compromised but it avoided a situation where the customers are exposed to a threat, like identity theft, fraud or humiliation, then that organization must keep a record of that breach.
The requirement to maintain these records, even if the breach is determined not to be serious at the time, serves two purposes. First and most important, it requires companies to keep track of when their data security safeguards failed, so that they can determine whether or not they have a systemic problem that needs to be corrected.
An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individual affected may not be so lucky. Keeping track of these breaches will help companies identify potential problems before individual privacy is seriously harmed.
Second, these records provide a mechanism for the Privacy Commissioner to hold organizations accountable for their obligations to report serious data breaches. At any time, the Privacy Commissioner may request companies to provide these records which will allow the commissioner to make sure that organizations are following the rules.
If companies choose to deliberately ignore these rules, the consequences as set out under the digital privacy act are serious. Bill S-4 would make it an offence to deliberately cover up a data breach or intentionally fail to notify individuals and report it to the commissioner.
In these cases, organizations could face a fine of up to $100,000 for every individual they fail to notify. These penalties represent one way that the digital privacy act would safeguard the personal information of Canadians.
The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee:
I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill. Proposals such as the breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....
Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:
The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm. We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.
I have been discussing the data breach rules which are a very important element of the bill before us. I would like now to turn my attention to four ways that Bill S-4 would strengthen Canada's privacy rules.
First, the bill establishes strong consent requirements to protect vulnerable individuals online, particularly children. These enhanced consent provisions were introduced as a result of recommendations made by Parliament during the first statutory review of PIPEDA.
Under PIPEDA, organizations need to obtain an individual's consent to collect, use, or disclose their personal information. Under the bill before us, an individual's consent would not be considered valid unless the way the information will be used is clearly communicated in language appropriate to the target audience.
For example, some businesses operate online playgrounds or educational websites that target children and collect personal information of children that is used for marketing and other purposes. Bill S-4 requires that the language used to obtain consent must be such that a child could reasonably be expected to understand the nature, purpose and consequence of sharing his or her personal information. If the consent request is too complicated for the child to understand, the consent would not be valid.
Again, the Privacy Commissioner of Canada supports this amendment. He told the committee:
I think it would be useful to further clarify that consent is to be evaluated from the perspective of the person whose consent is invoked. Organizations would be asked to put themselves in the shoes of various clientele from whom they are collecting information so that consent is as meaningful as possible.
Second, Bill S-4 seeks to harmonize federal laws with provincial privacy protection laws when it comes to a sharing of personal information without consent in narrow, limited circumstances.
PIPEDA already provides for a number of circumstances where personal information can be shared without consent when it is clearly in the public interest to do so. The amendments in Bill S-4 would add to this by allowing information to be shared in order to protect seniors and other vulnerable individuals from financial abuse or neglect, communicate with the family of an injured or deceased individual, or identify a victim of an accident or a natural disaster.
In his testimony before the standing committee, Mr. Marc-André Pigeon, director of financial sector policy at Credit Union Central of Canada expressed his strong support for Bill S-4 and the financial abuse amendment. He said:
In general, we think Bill S-4 does a lot of things right. We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse.
The third way that Bill S-4 would strengthen PIPEDA would be through changes that would support day-to-day business operations. The digital privacy act would remove unnecessary red tape for businesses by allowing for the collection, use and disclosure of personal information without consent in the context of specific legitimate business activities. For example, Bill S-4 would allow information to be more readily available in order to conduct due diligence in the context of mergers and acquisitions.
Similarly, the digital privacy act would allow businesses to share any type of business contact information in order to carry out normal business activities. It is simply ridiculous that PIPEDA allows an employee to share an office phone or fax number, but not an email address. Bill S-4 would fix this problem, a solution supported by the Retail Council of Canada. It told the committee:
—we support the clarification on the exclusion of business contact information...This section 4 clarification will better equip businesses to conduct their ongoing operations.
Finally, the digital privacy act would make existing compliance tools stronger and more effective. PIPEDA is enforced by the Privacy Commissioner of Canada who can turn to the Federal Court when an organization is found to break the rules. Bill S-4 would also give Canadians the option of taking an organization to Federal Court to order an organization to change its practices or to seek damages.
While the digital privacy act would keep those options open, it would also provide an alternative to court action such as voluntary compliance agreements. Under a compliance agreement, organizations would voluntarily commit to take action to comply with the law to avoid costly legal action. The agreements would be legally binding and would allow the commissioner to hold organizations accountable to follow through on their commitments to private privacy protection.
Again, the Privacy Commissioner expressed his strong support for this tool when he appeared before the standing committee. He said that the compliance agreement amendment was “very necessary” and “helpful for us to implement and apply”.
Canadian organizations care about their reputation and they know that sound privacy practices will have a lasting impact on the legitimacy of their brand. They also know that the reverse is true, that if their customers find out about shoddy privacy practices, their businesses will suffer. This is why the digital privacy act would give the Privacy Commissioner broader powers to name and shame a non-compliant organization to encourage it to take corrective action.
If either of these measures fail to provide the right incentives for businesses to fix their privacy problems, Bill S-4 would give the Privacy Commissioner more time to take them to court. Under the current law, the commissioner only has 45 days after he finishes the investigation to take the organization to court.
The Privacy Commissioner told the standing committee that it was simply not enough time, given the high complexity of issues with which his office dealt. Quite often, the Privacy Commissioner will work with organizations for several months, if not a year, to ensure they follow through on their commitments to fix any problems he has identified. The problem, of course, is that organizations can simply delay taking action for a couple of weeks, knowing that after 45 days, the commissioner will no longer have the option to take them to court. Bill S-4 would fix this problem and would provide the commissioner with a year to take an organization to court for non-compliance.
I have just outlined the five major provisions in Bill S-4, which include: new data breach rules; clear requirements when obtaining consent from individuals, including from minors; changes to support other public interest objectives, like fighting financial abuse; reducing the red tape for day-to-day operations; and new compliance tools for the Privacy Commissioner of Canada.
It is clear that Bill S-4 would deliver a balanced approach to protect the personal information of Canadians, while still allowing the information to be available to the growing, innovative digital economy.
Karl Littler, vice-president of Public Affairs at the Retail Council of Canada, summed it up best when he told the standing committee:
Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.
We have it right with this digital privacy act. Both businesses and consumers have been empowered in this digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.
Bill S-4, the digital privacy act, would strengthen the rules protecting personal information, and that is essential to conduct business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians. I urge hon. members to join me in supporting this bill.