Last week, the Privacy Commissioner of Canada released her vision of privacy reform, including the need for security breach disclosure legislation, order-making power, and greater transparency of warrantless disclosure. On the same day as Commissioner Stoddart released her position paper, the government was embarrassing itself in the House of Commons by formally opposing security breach disclosure legislation on the weakest of grounds. The opposition to meaningful privacy reform is particularly discouraging given the thousands of breaches that have occurred in recent years from within the government itself and its claims to be concerned with the privacy of Canadians.
The government introduced legislation featuring security breach disclosure requirements in Bill C-12 in September 2011 (itself a reintroduction of the former C-29 that was first introduced in 2010). Since first reading, the bill has not moved. It would take very little for the government to complete second reading and send the bill for study to committee, yet more than a year and a half later, the bill languishes, certain to die this summer when the government hits the parliamentary reset button. Frustrated by the inexplicable delays, NDP MP Charmaine Borg introduced a private member’s bill in February (C-475) that includes a mandatory security breach requirement roughly similar to the government’s own bill.
Both bills include notification requirements to the Privacy Commissioner of Canada in the even of certain security breaches. A comparison of the two bills is posted below:
|Bill C-12 (Government Bill)
||Bill C-475 (MP Borg Private Member Bill)
|(1) An organization shall report to the Commissioner any material breach of security safeguards involving personal information under its control.||(2) An organization having personal information under its control shall notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.|
|(2) The factors that are relevant to determining whether a breach of security safeguards is material include
(a) the sensitivity of the personal information;
(b) the number of individuals whose personal information was involved; and
(c) an assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.
|(3) The factors that are relevant in determining whether a loss or disclosure of, or unauthorized access to, personal information would be considered by a reasonable person as creating a risk of harm are
(a) the sensitivity of the personal information; and
(b) the number of individuals whose personal information was involved.
Both bills follow the notification to the Commissioner with a potential notification to individuals who may be affected by the breach. Notwithstanding the similarities, government MPs used debate in the House of commons last week to mischaracterize C-475. Conservative MP Parm Gill stated:
I wish to point out that the data breach notification regime proposed in Bill C-475 takes a starkly different approach than that in Bill C-12. Bill C-475 requires organizations to first notify the Privacy Commissioner of every potential data breach, regardless of context or remoteness. The Privacy Commissioner must then determine whether affected individuals should be notified. Given the potential number of breaches that could be reported, such a regime would increase costs and burdensome compliance procedures for Canadian businesses and would impose an unwieldy financial and administrative burden on the Office of the Privacy Commissioner, generating more costs than benefits for taxpayers.
As the table notes, the claim that there is a required notification of every breach in C-475 regardless of context or remoteness is simply false. Gill also wrongly claimed that C-475 would not capture breaches only affecting a few individuals and that the bill does not define “appreciable risk of harm.” In fact, both C-12 and C-475 use roughly the same definition of harm. The inaccuracies continue as Gill claims that C-475 creates uncertainties on the form of notification, yet it follows much the same approach as C-12. After Gill’s inaccuracies, MP Mike Lake picks up the torch, making many of the same claims and then noting that C-12 addresses a broader range of PIPEDA reforms. That is an unfair comparison, given that C-475 only tries to address a narrow range of issues and only comes after the government sat on its own bill for a year and a half (other than a single request for unanimous consent to send the bill to committee).
While the government would have the public believe that its bill is preferable to Borg’s, the real message here is clear: the government isn’t serious about privacy reform and would rather mischaracterize efforts to get long overdue reforms moving as opposed to prioritizing its own bill that has not been allocated any time for debate since its introduction in September 2011.