News

C-29: The Anti-Privacy Privacy Bill

Industry Minister Tony Clement introduced two bills yesterday – the Fighting Internet and Wireless Spam Act (C-28) and the Safeguarding Canadians' Personal Information Act (C-29).  I have spoken positively about C-28 (here, here, and here), which is long overdue and should receive swift passage.  By contrast, C-29 is a huge disappointment.  The bill is also long overdue as it features the amendments to Canadian private sector privacy law from a review that began in 2006 and concluded with a report in 2007

Just over three years later, the government has introduced a bill that does little for Canadians' privacy, while providing new exceptions for businesses and new powers for law enforcement (David Fraser has helpfully created a redline version of PIPEDA with the proposed changes).  The centrepiece of the bill is a new security breach disclosure provision, but the requirements are very weak when compared with similar laws found elsewhere.  In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good since Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying (given the very high threshold discussed below) safe in the knowledge that there are no financial penalties for failing to do so.

The New Business Exceptions

The business exceptions address several issues:

  1. The bill changes the definition of business contact information (which is not treated as personal information) by expressly including business email addresses.  This overturns a successful complaint I filed years ago against the (now defunct) Ottawa Renegades over their use of my email address.  The change further confirms that PIPEDA cannot be used in spam cases, but C-28 should provide far more effective tools. 
  2. The bill establishes a new prospective business transaction exception that permits use and disclosure of personal information in various business transactions.  The provision creates some limits on the use of the information, but is designed to address concerns from the business community that PIPEDA could create barriers to mergers and acquisitions as well as other transactions.
  3. The bill creates a new exception for the collection, use, and disclosure of personal information contained in a witness statement related to an insurance claim.
  4. The bill creates a new work product exception for the collection, use, and disclosure for information produced by an individual in the course of the employment.  There is also an exception for the employer collection, use, and disclosure of employee information to "establish, manage or terminate an employment relationship."
  5. The bill creates a new exception for businesses that voluntarily disclose personal information to other organizations for the investigation the breach of an agreement that has been, is being, or is about to be committed.  This exception also extends to disclosure to "prevent, detect or suppress fraud."

Law Enforcement Provisions

Law enforcement also benefits from new provisions, which could have a significant on businesses and individual Canadians.

  1. The bill purports to clarify "lawful authority" (ie. disclosure to lawful authority without a court order) but as David Fraser notes it really doesn't clarify much of anything.  Rather, it encourages disclosures without court oversight by confirming that businesses are not required to verify the validity of the lawful authority.
  2. Once a business has disclosed personal information to law enforcement, the bill includes a provision blocking it from disclosing the disclosure to the affected individual.  This USA Patriot Act-like provision includes detailed rules on how such disclosures can occur, including mandatory delays and government notifications.  In other words, once a business has disclosed personal information, the bill strongly encourages it to keep its proverbial mouth shut.

Security Breach Disclosure

As for individuals, there is a notable clarification of the meaning of consent, but the big addition is the creation of a security breach disclosure requirement.  Unfortunately, the proposed approach is extremely weak when compared with similar statutes elsewhere.  The security breach requirements include:

  • A requirement to report an "material breach of security safeguards involving personal information under its control" to the Privacy Commissioner.  The organization determines whether the breach is material, having regard to the sensitivity of the information, the number of individuals affected, and whether there is a systemic problem.
  • A second requirement to report to individuals affected by the breach "if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual."  The organization makes its own determination of whether there is a real risk having regard to the sensitivity of the information and the probability that the personal information has been, is being, or will be misused.  The notification must be given "as soon as feasible."  Notifications may also go to other other organizations if doing so may reduce the risk of harm.

While this is better than the current situation where there is no security breach disclosure requirement, it is far less than the rules found elsewhere.  This proposal sets a very high threshold for disclosure, contains no clear penalties for non-disclosure, and does not feature a private right of action that might be used by individuals to further encourage compliance. 

By comparison, the California law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person.   In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm (other states merely require harm, not significant harm).  Moreover, the California law requires disclosure in the most expedient time possible and without unreasonable delay – far quicker than the Canadian proposal.

Some states also establish tough penalties for failure to promptly notify.  For example, Florida's law provides for penalties of up to $500,000 for failure to notify and up to $50,000 for failure to document non-notifications of security breaches.  Michigan's penalties run up to $750,000.  Moreover, some states (such as Louisiana and New Hampshire) establish private rights of action that provide for civil actions to recover actual damages sustained by individuals in cases of security breaches.  Proposed language in Canada from the Uniform Law Conference of Canada's model data breach notification statute also envisions penalties for non-compliance (though it also includes a "significant harm" threshold).

Security breach disclosure was widely recognized as a major hole in the Canadian law framework, yet this proposal is a major disappointment that falls far short of striking the right balance between protecting Canadians, encouraging appropriate safeguards of personal information, and guarding against overwhelming Canadians with too many notices. When combined with the rest of the bill – which includes new exceptions for work product, new barriers to disclosing disclosures and further encourages disclosures without court oversight – C-29 does not do nearly enough to advance the Canadian privacy law framework in a manner that actually protects personal privacy.

30 Comments

  1. colour me surprised
    Sorry to sound so pessimistic yet again, but this is just business as usual up in Ottawa.

    “Government for the business.”

    Screw the little people — the ones that actually gave us our seats.

  2. Given your interest in protecting your information online. I thought I would share this video with you about how Internet Explorer 8 helps protect your identity online.

  3. Junji Hiroma says:

    @Brian
    Nope,They are pandering to the States,Read The Patriot Act and Compare it to this law.They are about the SAME but with a twist in our version.


  4. It’s just one step closer to adopting ACTA, in all IT’S glory. Big Brother is coming.

  5. exploderator says:

    More law from our corporate overlords…
    It never ceases to depress me, just how badly behind the curve these dinosaurs are. It feels like the Bush years, failed down South, so now moved North to greener pastures / easier suckers.

    The public, the little people, are the true foundation of our society. The more we are debased, both by corporate negligence and willful neglect from our own government, the less WE build a strong Canada. Protecting the basic security of the public is the starting point of guaranteeing our productivity. These laws only benefit at very most the 10% most wealthy amongst us, including their politician lackeys. That leaves 90% of us exposed, and often injured; we become unhappy, fearful, hesitant, poor. It is not the way forwards. This is what happens when the people’s elected voices succumb to greed, mistaking the voice of quarterly stock profits (gambling) for the voice of a healthy society. We get sold out in favor of what appears to be higher profits, but what can only lead towards wider spread impoverishment. Carefully protecting the fundamental rights and safety of the public is what makes us strong, civilized and productive.

    Between this law and the probably horrible upcoming (DRM) copyright laws, we seem to be headed quickly into technological corporate heaven (anarchy), where we don’t have laws that truly keep things civil for all players, don’t have laws that hold the fine balance of true justice. It’s not going to be pretty. We will look back and remember this as the era that, when faced with the most amazing revolution in human history, our dear leaders deliberately gutted and blocked the only systems we had that could maintain a civil and equitable society.

    We need a new form of governance, this one is now just an expensive malignant cancerous tumor, and we are without honest leaders.

  6. I am writing my MP over this.
    Re: Law Enforcement Provisions

    This is bad, it is allowing the government to monitor us without court approval. This is not the Canadian style of government.

    I don’t know why you’re all so pessimistic, if we fight this, we can win. No one wants a police state, we just need to get the word out.

  7. exploderator says:

    Just because your paranoid, doesn’t mean they’re not out to get you:
    Honestly, what we still call “government” and “politics” these days is a farce. An illusion carefully drawn in the ashes of our once public institutions. An illusion funded and kept up by a sickly alliance between corporate predators, and the terrified, ass-covering, “just let me get to retirement” weaselly bureaucrats who schizophrenically serve between the corporate hunger and their own fear. An illusion that is a perfect reflection of a totally crippled and useless democratic process. If you can admit that it’s effectively impossible for the foreseeable future to actually launch a new political party and elect them to majority in Canada, then you should admit that our “democracy” is comatose, and we’ll be still stuck in the mud (and brambles) while computer technology lights our world on fire.

  8. exploderator says:

    Does anyone have an open format copy of what the law would actually become?
    “(David Fraser has helpfully created a redline version of PIPEDA with the proposed changes)”

    …which doesn’t work nicely. I get a google docs login, and who knows what lies behind that. How about HTML or PDF, for the rest of us? Without this, and not knowing the previous laws intimately by memory, it’s kind of hard to assess what C-29 actually means.

    Cheers and thanks

  9. Laurel L. Russwurm says:

    Like they will tell on themselves… I don’t think so.
    Ak! The people who have breached my security get to decide if it is important/serious enough to tell me….?

    What is this: quick lets put all the pro-corporate legislation through before Canadians notice year?

    More stuff to complain about in our #digicon submission

    @exploderator pssst… PDF is NOT open (quasi open at best… anything that forces to to put software you don’t want on your own computer)

  10. I snagged and uploaded the doc to my webspace for ya Exploderator
    @exploderator:
    Download the PDF from the link given here, and uploaded it to my webspace so those without a google docs account can access 🙂 Cheers

    http://www.iaps.ca/cfx/milo/Personal Information Protection and Electronic Documents Act (amended).pdf

  11. exploderator says:

    @ Laurel L. R.
    Sorry, I know .pdf isn’t open, but at least it’s fairly ubiquitous, and there are fully open source .pdf tools as well, not Adobe. Ironic thing is, it would probably be a violation of copyright to republish the law (format shifted no less) without official Crown permission, maybe even a criminal offense soon. I did manage to get into google.docs, and the print button made me a .pdf to download.

    BTW, work forced me to put Windoze on my computer long ago (software I don’t want), and it’s just been downhill steadily from there ever since, with Billy at the helm.

  12. maebnoom says:

    I don’t think these old farts in Ottawa have ever seen an Internet before. 😉 They’re literally just taking the word of whoever throws the most money at them. I’d trust their opinions on supersymmetric quantum mechanics more than that of the digital world.

  13. Decent bill
    “In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good since Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying (given the very high threshold discussed below) safe in the knowledge that there are no financial penalties for failing to do so.”

    This is understandable. It would be expensive and time consuming to identify people involved in a breach of security. It would also delay projects and make Canadian companies less competitive.

  14. About Security Breach Disclosure
    How does the requirement for companies to disclose breaches that create a “real risk of significant harm” change the situation as it already stands? Without any penalties, the only real consequence of non-compliance would be that the affected individuals could sue for damages, but if actual damages were incurred as a result of non-disclosure couldn’t they already do that? I don’t pretend to understand how current Canadian law works in that regard, but it stands to reason that this probably does little more than clarify the existing situation.

  15. exploderator says:

    @ Milos
    Thanks for putting that up. As noted in other post, I did manage to get it myself. Your effort should be helpful for anyone else without a Google account though. Just be forewarned that you might be violating Crown copyright by “distributing” this, especially including the format shifting 😉 Maybe they’ll sue your ISP too, as accessories to the crime. Oh wait, C-61 or C-61.1 hasn’t passed yet. Pheeeew.

  16. exploderator says:

    @ Ryan, re: Decent bill ???
    Is my sarcasometer broken?

    If this bill is supposed to “protect” privacy, but leaves no tangible motive for companies to do anything, then the public is left with no protection. If some company has been hacked, and your data was stolen, wouldn’t you need to know? You are likely the only person with the will and ability to protect yourself, and you won’t even have a chance if you never know. It is almost preposterous to even think that a company would be in a position to adequately judge the seriousness, given that they are not you, and cannot have enough knowledge to safely preclude the possibility of harm to you. For example, take a woman hiding herself & kids from a violent ex-partner. Legal protections (eg restraining orders) are often not much help, so she may well need to keep her address hidden. This is very common. Now say she buys something on-line and that business is hacked (also very common), but only the name+address+phone info (again, often kept much less securely than card numbers). They deem this non threatening, and decline to inform anyone, but the data ends up on-line, and her psychotic ex can now find her. How can they be the judge? Would you honestly want that treatment for yourself?

    Honestly, in this digital era, it should not be too onerous for a company to have their computer print out the notifications, and if it really is that hard, perhaps they will be motivated instead to properly secure our data in the first place.

    It can take the threat of substantial penalties to motivate companies to endure the well deserved embarrassment of getting hacked, admit the breech, and notify people properly. And if they don’t admit the breech themselves, then the public may well never know who is responsible. The ability to sue may do little good if you never know and cannot prove who is at fault. How many people have you done business with, and how can you prove which one is responsible. Remember, most organizations will have much to loose if they admit a breech, and very little if they cover it up, at least under this law.

    Sorry, but if this law is as toothless as it seems, it’s as decent as picking up a street walker, and not using a condom. But A LOT more dangerous to us all.

  17. Anonymous says:

    Lawful authority
    Wow. Is there some kind of competition to see how *often* they can break Stockwell Day’s promise not to give information to police without a warrant?

  18. Enough is Enough
    I sincerely hope this pushes us into another election and that the electorate actually manages to turn out this time. I for one have had more than enough of this kind of Bill. This just cannot be allowed to continue. First mandatory minimums in some BS get tough on crime bill, then copyright over and over again. I am beyond tired of watching this government try to erode our rights in this fashion.

  19. Don’t Count on the Opposition
    If you’re hoping that any opposition members are going to jump all over this you’re probably going to be disappointed.

    Our democracy is seriously broken and our politicians are paralyzed by poll numbers and camera theatrics.

    But then again… sitting behind my keyboard bitching about it is definitely going to improve things. Yes?

  20. cndcitizen says:

    Strange, why a supposed consumer bill…
    Ends up just protecting the corp…if any security breach released my information, I would demand to know about it. We get enough telemarketing calls and crap coming through that we don’t need another avenue. If a security breach happened AT ALL, then the affected parties should be notified and the company that was lax on their security should pay up for monitoring a damages. Companies have been too lax in their security of data to worry about this to this point and with this bill it just adds to their “well look at it later” attitude.

  21. cndcitizen says:

    Comsumer?
    Since a lot of data breaches are identified or security holes are identified prior to the breach, I think the law should allow for ALL email and text communication between the company to be requested (like financial account audits) by parties. This would allow for clear culpability in the event that someone said…well it is not sever so we won’t fix it until we get a breach type situation that happens all to many times in this industry…trust me…if you knew how much information was disclosed without reason you would be shocked…..employees testing new application getting a full database of client information for their testing and then lose it or no have any checks that it is deleted…Security breaches aren’t just about hacking, it is about negligent employees not securing the data that they have access too.

  22. cndcitizen says:

    Example
    Sorry, as an example, I was emailed a zip file with an exel spreadsheet of a huge (10k+) user information for work with a client during development. The information also contained amongst other things salary, employment time, etc, etc…I knew clearly that that violated that companys security that their employees could not sent that information out. I quickly deleted it and notified the client but since it was sent in unecrypted email….who else has that information. The employee was fired but no word on this security breach ever hit the papers…thing of if the tax office was working with a developer that did this and the developer had subcontractors in other parts of the world…is the company required to tell them that it was broadcast around the world or do they just say…whatever..

  23. alex jones talks canada

  24. exploderator says:

    @ ted
    I like Alex Jones, and respect his determination, hard work, and dedication. But I think it’s a real shame he can’t stop himself from excessive exaggeration and hyperbole. It rightly undermines his credibility with anyone who knows better. He almost always has something really worth listening to, but it’s also almost always completely admixed with utter BS, and it takes a lot of careful thought and background knowledge to filter what he says. Again, it’s a shame, because he is often a leader in trying to expose the ugly stuff that lurks under the surface of our society.

    And while Alex is most assuredly a conspiracy theorist, I have much less respect for the many blind coincidence theorists, who fanatically deny any and every possibility of corruption or hidden intent, apparently because it makes them uncomfortable to think about things they don’t like, and admit what they don’t know. Just because you’re paranoid, doesn’t mean they aren’t out to get you.

    Personally, I think it’s obvious that there are too many back room deals, happening in secrecy, and unjustly outside the realm of honest public scrutiny. It’s been the norm in business for ever, and it seems to be becoming the norm in politics too, Canadian and otherwise. To proffer the notion that all these hidden negotiations are sure to be purely honest and benign is foolish and naive at best, and is gross negligence when it is our duty to vigilantly guard justice. If you can’t see that this general state of affairs exactly equals conspiracy, then I suggest you go check a dictionary. And because we are by force not privy to such negotiations, it becomes our duty to theorize about them, using the best insights we have.

  25. Joseph Belsanti says:

    Mandatory Breach Notification not inlcuded is ridiculous
    As you comment, financial penalties and mandatory notification clauses must be included not only to keep up with other international privacy and security regulations, but to protect individuals who want to take action as a result of an institution or organization losing their respective PII (Personal Identifiable Information) so they can protect themselves against potential financial fraud and identity theft. This is also a good thing for businesses to mitigate any losses here. Not including mandatory breach notification and the clear steps on what must be done to notify is simply ridiculous. More over, legislators need to keep up with technology in order to construct better exemption clauses under breach notification … for example, the exemption clauses included not only CS 1386 but other Acts referring to encryption like the GLBA, and the German Bundesdatenschutzgesetz – Germany’s Federal Data Protection Act – as only two examples. Exemption should be granted if the media or medium upon which the data resides is encrypted, not if the data is encrypted for a number of very good technology reasons. Simply encrypting the data is not good enough. The media or medium needs to be encrypted to protect archived residual files containing PII on the laptop or USB stick that is lost or stolen – for example.

  26. privacy commissioners may differ?
    I had thought that most if not all Canadian privacy commissioners had agreed that a risk-based approach was a better test for breach notification than a data-based approach like California’s or many US statutes’, where only if specifically listed information is compromised is there a duty to notify.

    The Privacy Commissioner of Canada last year said that the Industry Canada 2008 proposal on ‘substantial risk of significant harm’ was too demanding. Alberta’s recently-in-force amendments to its privacy statute are basically the same test as in C-29: reasonable person’s estimate of real risk of significant harm.

    Ontario’s IPC has said that that province’s personal health info statute – which has an absolute duty to disclose any compromise – could usefully be amended to a risk-based system.

    At some point the holder of the data is ALWAYS going to have to decide whether to disclose or not, whatever the breach. There has to be some test. The question in a statute is who finds out and who makes the ultimate call. But making the data holder report to a commissioner – when? every single possible compromise? – gives a ton of work to the commissions, which have a lot of work already.

    Industry Canada’s 2008 paper explains why penalties are not needed – mainly that the Commissioner gets a lot of compliance under the present system, and she has publicity and ultimately the Federal Court to back her up. In other words, the lack of direct penalties has not been a problem so far.

    As for private rights of action, unless one legislates statutory damages, so far in the US, no one has actually been able to prove damages and causation for a breach, so they are more symbolic than a real threat to the data holders.

    In short, I don’t think the bill is as bad as Prof Geist says it is on this point, and it is completely consistent (for better or worse) with all the other Canadian legislation, and better than some of the American.

  27. Welcome to the New World Order
    So the Fascists lost WWII did they?

    Britain has become a surveillance state out of the most unsettling of sci-fi movies, The US edges ever nearer to a police state, Canada is many ways is closer than the US (while further away in others). Police have stopped wearing blue and gone to black for their uniforms, When the G## hits Toronto people will need authorizations and ID papers to get to and from their own homes.

    These changes would see businesses deciding what was acceptable harm to clients, and the police “and other government agencies” able to gather data without court oversight (not that that always means much) or accountability, and without the person even being informed let alone consenting (ala Patriot Act).

    And it isn’t just the Conservative Party, all the major parties have similar restrictive agendas, just different paths.

    Welcome to the Fourth Reich.

  28. So now what?
    These revelations (and other related stories) usually have the same effect on me every time – frustration to the point of paralysis. I don’t know how to effectively fight these agendas, and I wonder if anybody else does either.

    The established protocols for citizen involvement in government are increasingly fucking useless (see Tony Clement & the “new” copyright legislation, as well as the “same old bullshit” approach taken by governments), while governments cede more and more power to corporations.

    We’re witnessing the transfer of the responsibilities of government to organizations that have an even worse track record than actual governments!

    So my question is: What the fuck are we supposed to do in our own lives?

  29. MadCanCitizen says:

    Safeguarding? Lies! The Beginning of the end of privacy.
    Law enforcement powers to secretly spy on citizen’s records from ISPs, telcos, employers, etc. without an order/warrant is NOT what Canadian citizens want.

    They’re trying to sneak this in and strip the peoples’ privacy away while everyone is focused on the Copyright bill. What citizen is going to feel secure about any actions or opinions they wish to do or express knowing they can be secretly identified and targeted? There will be more than copyright to worry about if you have no privacy.

    I suppose the next bill introduced will finish off any details this Anti-Privacy bill missed.

    Concerned Canadians should vehemently oppose this bill. TAKE ACTION, spread awareness, and encourage others to do the same.

  30. love
    in front of our PCs. Of course, wrapping yourself in blankets and drinking cup after cup of hot cocoa won’t keep your extremities consistently warm. And while you can put on big fuzzy slippers, typing in mittens is all but impossible.
    http://www.thomassabosales.com/