Last night I appeared before the Senate Transport and Communications Committee, which is conducting hearings on Bill S-4, the Digital Privacy Act. I have posted on the bill’s shocking expansion of warrantless voluntary disclosure, by pointing to a provision that would permit disclosure to any organization, not just law enforcement. This appearance provided the opportunity to discuss a broader range of issues, including positive elements in the bill (clarification of consent, expansion of the Commissioner publicly disclosing information, and a longer time period to bring a case to the federal court), the areas in need of improvement (security breach disclosure standards, voluntary warrantless disclosure, compliance agreements), and the glaring omission of stronger reporting requirements.
The surprise of the night came at the end, when the chair indicated that the committee did not plan to hear from any further witnesses. The bill will therefore move to clause-by-clause review next week.
Appearance before the Senate Transport and Communications Committee, June 4, 2014
Good evening. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I have appeared many times before committees on various digital policy issues, including privacy. I appear today in a personal capacity representing only my own views.
I’d like to structure my remarks by focusing on three welcome elements of Bill S-4, three areas in need of improvement, and one glaring omission.
The Welcome Provisions
First, the good news. Bill S-4 importantly provides additional clarification for the standard of consent. Given that meaningful consent provides the foundation for the law, the clarification is much-needed, particularly for minors. Consent is meaningless if the person does not understand to what they are consenting. By clarifying the standard of consent, businesses will have greater certainty and a clear obligation to ensure that Canadians are better informed about the collection, use and disclosure of their personal information.
Second, the expansion on publicly disclosing information is also a welcome addition and long overdue. I have long argued that the Office of the Privacy Commissioner adopted an unnecessarily conservative interpretation of the current provision that allows for naming organizations subject to complaints. The expansion of the provision sends a signal that the Commissioner should not hesitate to publicly disclose any information if it is in the public interest to do so. This would include poor organizational practices, well-founded complaints or public privacy risks.
Third, the extension of the deadline to take a complaint to the Federal Court is much needed as well, given that the current system represents an unnecessary barrier to potential pursuit of federal court review.
Areas in Need of Improvement
Let me now turn to three important aspects of the bill in need of improvement. First, the long-awaited security breach disclosure requirements. As you are aware, creating mandatory security breach disclosure requirements at the federal level is long overdue as it creates incentives for organizations to better protect our information and allows Canadians to take action to avoid risks such as identity theft. There are aspects of the Bill S-4 security breach rules that are better than those found in prior bills such as C-12 and C-29. Most notably, the inclusion of actual penalties is essential to create the necessary incentives for compliance.
However, there are problems with the standards for disclosure, some left over from the prior bill and some new to this bill.
From the prior bill, the standard for notification to individuals – “a real risk of significant harm to the individual” – should be lowered to ensure that the law captures more breaches. By comparison, the California breach notification law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person. In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm. In Europe, telecom breaches must be reported based on an “adverse affect to personal data or privacy” standard, which is also better than the Bill S-4 approach. These are better approaches that make it more likely that Canadians will be informed when their information is caught up in a breach.
New to this bill is the removal of a two-stage process that involved first informing the Privacy Commissioner and then the individual where circumstances warrant it. Bill S-4 puzzlingly establishes the same standard – “real risk of significant harm” – for both notifying the Commissioner and individuals. This means there may be no notification for systemic security problems within an organization or technical standard vulnerabilities. I repeat – those kinds of breaches would not be disclosed to anyone. The bill requires organizations to maintain a record of all breaches, but only to disclose them if the Commissioner asks.
Why is this a problem? Because it is likely to result in significant under-reporting of breaches since organizations will invariably err on the side of non-reporting in borderline cases and the Commissioner will be unaware of the situation since there is no reporting requirement to that office.
You have heard some suggest that all breaches should be reported to the Commissioner. This is the approach is some jurisdictions. For example, under a European Union regulation passed last year, all personal data breaches at telecom companies must reported to the national data protection authority.
I believe that the prior government bills (C-12 and C-29) offered a better, two-stage approach. The first notification to the Privacy Commissioner would occur where there is a “material breach of security safeguards”. Whether the breach was material depended upon the sensitivity of the information, the number of individuals affected, and whether there was a systemic problem. It did not require a risk of significant harm. The two-stage approach was far better, since it ensured notifications first to the Commissioner, including identifying systemic problems that may not be caught by the Bill S-4 approach.
I would therefore recommend two changes to these provisions: the California-style standard for notifications to individuals and the government’s own approach in C-12/C-29 to notifying the Commissioner as a first step.
The second major area for improvement involves the expansion of warrantless disclosure. At a time when many Canadians are concerned with voluntary, warrantless disclosure, the bill expands the possibility of warrantless disclosure to anyone, not just law enforcement. The bill features a provision that grants organizations the right to voluntarily disclose personal information without the knowledge of the affected person and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation (or the possibility of a future violation).
While the government has claimed that this provision should not concern Canadians, the reality is that the broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval. This runs counter to recent Federal Court decisions that have sought to establish clear limits and oversight over such disclosures.
Moreover, the disclosure itself is kept secret from the affected individual, who is unlikely to complain since they will be unaware that their information has been disclosed. In fact, while a House of Commons committee may have recommended a similar reform in 2006, that recommendation was rejected at the time by both the Conservative government and the Privacy Commissioner of Canada.
The reform here is clear: the provision opening the door to the massive expansion of warrantless, non-notified voluntary disclosures should be removed.
Third, given the distinct lack of powers for the Privacy Commissioner of Canada, the creation of compliance agreements is a step in the right direction, but order-making power or at least some form direct regulatory action such as administrative and monetary penalties is needed. The inability to make well-founded findings ‘stick’ without first navigating an inaccessible and impractical trip to the federal court has been an enormous source of frustration for many Canadians.
The creation of compliance orders would have made sense if there had been some power to issue penalties or take regulatory action, as is the case in the United States where compliance orders are commonly used. Without such a threat, however, it is difficult to see why an organization would enter into such an agreement. Avoiding the federal court is something you do when you fear you might lose. That has not been the case under PIPEDA. Reforms are needed with real penalties to ensure compliance.
The Glaring Omission
The lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures is a glaring omission from the bill and should be addressed. The stunning revelations about over 1 million requests and 750,000 disclosures of personal information – the majority without court oversight or warrant – points to an enormously troubling weakness in Canada’s privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used and that bills before Parliament propose to expand their scope. In my view, this makes victims of us all – disclosure of our personal information often without our awareness or explicit consent.
This can be addressed through two reforms. First, the law should require organizations to publicly report on the number of disclosures they make to law enforcement without knowledge or consent, and without judicial warrant, in order to shed light on the frequency and use of this extraordinary exception. This information should be disclosed in aggregate every 90 days. Second, organizations should be required to notify affected individuals within a reasonable time period of the disclosure – perhaps 60 days – unless doing so would affect an active investigation.
The adoption of these provisions – which would be consistent with what we heard from Mr. Therrien yesterday – would be an important step forward in providing Canadians with greater transparency about the use and disclosure of their personal information.