Bill S-4, the government’s Digital Privacy Act, was sent for review to the Industry Committee yesterday. The committee review, which comes before second reading, represents what is likely to be the last opportunity to fix a bill that was supposed to be a good news story for the government but has caused serious concern within the Canadian privacy community. While there are several concerns (I raised them in my appearance before the Senate committee that first studied the bill), the chief one involves the potential expansion of voluntary disclosure of personal information without consent or court oversight. Bill S-4 proposes that:
“an organization may disclose personal information without the knowledge or consent of the individual… if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
Translate the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).
The government is clearly aware that this is a major concern as it attempted to answer the critics during debate over Bill S-4 in the House of Commons yesterday. Unfortunately, the responses were incredibly weak. I’ve identified at least six responses from government sources below.
1. Expanded Disclosure Without Consent is Needed for Investigations by Regulatory Bodies
Conservative MP Cheryl Gallant claimed that there is a need for the provision since there are regulatory bodies such as the College of Physicians and Surgeons of Ontario, the Law Society of Alberta, or the Association of Professional Engineers of Nova Scotia that may need to obtain personal information as part of an investigation into member conduct. Yet the three organizations are all already included in a list of organizations that qualify as investigative bodies and therefore can rely on an exception that permits disclosure. In fact, the list already includes nearly 100 organizations that ranges from the Association of Professional Geoscientists of Ontario to the Board of Funeral Services to the College of Midwives of Ontario. The law has been in effect for over 10 years, providing plenty of time for dozens of organizations to obtain regulatory approval. Opening the disclosures to any private organization is simply not needed as there is no problem for regulatory bodies that conduct member investigations.
2. Expanded Disclosure Without Consent is Consistent with a 2006 Committee Recommendation
Government MPs claim that the provision is merely implementing a 2006 recommendation from the last committee to consider Canadian private sector privacy law. But while the Standing Committee on Access to Information, Privacy and Ethics may have recommended a similar reform in 2006, that recommendation was rejected by both the Conservative government and the Privacy Commissioner of Canada. The committee recommendation appears to have come from a single submission from the Canadian Bar Association. The CBA appeared before the committee but was not questioned about the proposal. The CBA proposal focused specifically on personal information legally available to a party to a legal proceeding. That is much narrower than the Bill S-4 provision.
In fact, even that narrower proposal was rejected by the Conservative government in its response to the committee recommendations:
The government notes the Committee’s recommendation and acknowledges that it was made in response to concerns expressed by certain stakeholders regarding the need to ensure that PIPEDA does not impede litigation procedures. However, the government does not share the Committee’s view that such an amendment is necessary at this time.
The Privacy Commissioner of Canada also publicly opposed the recommendation, which she included among the six issues about which she had particular concerns:
The Canadian Bar Association recommended that the AB and BC Acts both provide clarity in regard to information legally available in a legal proceeding. I do not believe that this issue has posed any great difficulty over the past five years. The OPC has stated in complaints that the access provisions of PIPEDA may be broader than the requirements of discovery, depending on the breadth of documents relevant to a proceeding.
In other words, Bill S-4 contains an expanded version of a provision that one group asked for without facing any questions, that the government rejected when it was proposed, and about which the Privacy Commissioner of Canada expressed particular concern.
3. The Privacy Commissioner of Canada Supports Bill S-4
Government MPs claimed that the Privacy Commissioner of Canada supports Bill S-4. However, the Privacy Commissioner’s submission to the Senate committee specifically identified expanding voluntary disclosure without consent to private organizations as a concern:
While we understand the challenges created by the existing investigative body regime, we have some reservations about the proposed amendments. First, we believe that the grounds for disclosing to another organization are overly broad and need to be circumscribed, for example, by defining or limiting the types of activities for which the personal information could be used...Finally, there is the issue of transparency. These disclosures will be invisible to the individuals concerned and to our Office. In order to provide greater accountability, we recommend that the Committee consider ways to require organizations to be more transparent about the disclosures they would make under this provision.
4. Canadians Expect Businesses to Disclose Their Personal Information
Conservative MP Joan Crockatt implausibly argued that Canadians expect that businesses will share their personal information in this manner:
The provisions in the bill would allow businesses to share information in the normal course of business in a very limited way. They are things that would actually be required for that business to be conducted. It would not involve something like a major search through data to look for information on a large number of consumers. This would be something that would be more specific to being able to conduct day-to-day business, something that consumers would expect when they are doing business with a corporation.
The reality is that the provision has nothing to do with day-to-day business operations. Indeed, businesses can easily obtain consent for that form of use. The provision in question involves disclosure without consent.
5. PIPEDA Already Includes Information Sharing Provisions
Industry Minister James Moore’s press secretary Jake Enright argued on Twitter that PIPEDA has always permitted information sharing. However, as Enright surely knows, PIPEDA does not currently include a blanket exception for disclosure to private sector organizations. There are an assortment of exceptions for disclosure without consent, but the broad permission found in Bill S-4 is not there. This is not a case of implementing strict rules, but rather expanding the scope of disclosure without consent or court oversight.
6. Bill S-4 Is Consistent With the Supreme Court of Canada Spencer Decision
Enright also maintained that Supreme Court of Canada’s Spencer decision, which found that there is a reasonable expectation of privacy in subscriber information, does not mean that Bill S-4 is unconstitutional. But the constitutionality argument is wholly beside the point given the emphasis on reasonable expectation of privacy. Moreover, when Moore appeared before the Senate committee, he argued that consumers may have agreed to the voluntary disclosures in their user agreements:
Well, if you agree to a contract, for example, with a telecommunications company, and as part of that contract you can surrender some of your capacity to have your information shared under certain circumstances, that can exist in a number of contractual situations, but that’s an individual signing a contract and agreeing to that openness in the case of a criminal investigation.
But the Supreme Court was dismissive of arguments that consumers had consented to the disclosure of their information in the ISP user agreements:
Whether or not disclosure of personal information by Shaw is “permitted” or “required by law” in turn depends on an analysis of the applicable statutory framework. The contractual provisions, read as a whole, are confusing and equivocal in terms of their impact on a user’s reasonable expectation of privacy in relation to police initiated requests for subscriber information.
The Court added:
Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure “of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information” (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.
The reality is that the expansion of voluntary disclosure of personal information without consent or court oversight is both overbroad and a serious threat to the privacy of Canadians. Indeed, when coupled with the expansion of voluntary warrantless disclosure to law enforcement in Bill C-13 (through full legal immunity) and the revelations of more than a million annual disclosures of subscriber information to law enforcement, it paints a picture of the government undermining privacy while claiming to protect it.