Yesterday I appeared before the Standing Committee on Industry, Science and Technology to discuss Bill S-4, the Digital Privacy Act. The discussion focused on a wide range of concerns, including the shortcomings in the security breach disclosure rules and the need for greater enforcement powers for the Privacy Commissioner of Canada. Metro News covered the appearance. My opening remarks are posted below. I’ll link to the full transcript once available.
Appearance before the Standing Committee on Industry, Science and Technology, March 10, 2015
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I have appeared many times before committees on various digital policy issues, including privacy. I appear today in a personal capacity representing only my own views.
I previously appeared before the Senate committee that studied Bill S-4. My remarks then focused on three issues:
1. I offered my support for several important provisions in the bill, particularly the additional clarification for the standard of consent, the extension of the deadline to take cases to the Federal Court, and the expansion of the powers for the Privacy Commissioner to publicly disclose information related to findings or other privacy matters.
2. I also identified issues that need amendment or improvement
a. security breach disclosure rules, particularly the abandonment of a two-step disclosure process
b. compliance agreements, which should be strengthened with penalties or order making power
c. expansion of voluntary disclosure of personal information between private sector organizations.
3. I discussed missing provisions, namely need for mandatory transparency reporting.
My time is limited this morning, so I’m going delve deeper into two issues: the voluntary disclosure provision and transparency reporting.
1. Expansion of voluntary disclosure
Bill S-4 expands the possibility of personal information disclosure without consent or court oversight to anyone, not just law enforcement. As you know, the bill features a provision that grants organizations the right to voluntarily disclose personal information without the knowledge or consent of the affected person and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation (or the possibility of a future violation).
This broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval. This runs counter to court decisions from the Canadian courts, which have sought to establish clear limits and oversight over such disclosures, as well as the spirit of the Supreme Court of Canada’s Spencer decision, which ruled that Canadians have a reasonable expectation of privacy with such information. In fact, if we examine the leading cases on disclosure of customer information in private litigation (Warman v. Fournier, BMG v. Doe, Voltage v. Doe), virtually all emphasize the need for safeguards before customer’s information is disclosed, even as part of an investigation.
A House of Commons committee did recommended a similar reform in 2006, but that recommendation was rejected at the time by both the Conservative government and the Privacy Commissioner of Canada.
I recognize that some have suggested that Alberta and British Columbia have similar provisions and that no harm has resulted from their approach.
I’m not so sure. I don’t think anyone can reasonably conclude that the provincial approach has not resulted in privacy risks or harm. It is important to bear in mind that the disclosure itself is not necessarily revealed to the affected individual. Indeed, the point is often to disclose without knowledge or consent, meaning the affected individual will not know that their information has been disclosed. Asking for evidence of harm, when the harmful conduct is kept secret from those who are affected, creates an impossible evidentiary burden.
In fact, even if you believe that the disclosures might come to light through court processes should it reach that point (and note the disclosures can happen without it ever reaching that point), provincial privacy law rarely involves the issues where these cases do come to light. It is no coincidence that the lead cases on personal information disclosure arise from PIPEDA as these cases often involve telecom companies, Internet service providers, Internet websites and banks – all largely governed by PIPEDA. In other words, the existence of the provision at the provincial level tells us very little about how it will be used under PIPEDA.
The reform here is clear. There is no compelling need for the change – the current system has been in place for many years and dozens of organizations are covered by the investigative bodies exception. That may have been a hassle ten years ago, but reform now makes little sense. Further, if there are specific industries with concerns, those can be addressed through a narrow amendment. The broad provision opening the door to the massive expansion of warrantless, non-notified voluntary disclosures should be removed.
The lack of transparency and reporting requirements associated with personal information disclosures is a glaring omission from the bill and should be addressed. The stunning revelations last year about over 1 million requests and 750,000 disclosures of personal information – the majority without court oversight or warrant – points to an enormously troubling weakness in Canada’s privacy laws. More recently, a Privacy Commissioner of Canada audit into RCMP requests for subscriber information was abandoned after auditors found that the data was inaccurate and incomplete.
Some companies such as Rogers and Telus have begun issuing transparency reports, but others – most notably Bell – have not. Most Canadians have no awareness of these disclosures.
This can be addressed through two reforms. First, the law should require organizations to publicly report on the number of disclosures they make without knowledge or consent, and without judicial warrant. This information should be disclosed in aggregate every 90 days. Second, organizations should be required to notify affected individuals within a reasonable time period of the disclosure.
The adoption of these provisions would be an important step forward in providing Canadians with greater transparency about the use and disclosure of their personal information.
I welcome your questions.