Yesterday I appeared before the Standing Committee on Industry, Science and Technology to discuss Bill S-4, the Digital Privacy Act. The discussion focused on a wide range of concerns, including the shortcomings in the security breach disclosure rules and the need for greater enforcement powers for the Privacy Commissioner of Canada. Metro News covered the appearance. My opening remarks are posted below. I’ll link to the full transcript once available.
Post Tagged with: "digital privacy act"
Why the Digital Privacy Act Will Expand Personal Information Disclosure Without Court Oversight
My column this week on warrantless access to personal information under Canadian law noted that Bill S-4, the Digital Privacy Act, will expand the likelihood warrantless disclosures between private organizations. As I posted recently:
Bill S-4 proposes that:
“an organization may disclose personal information without the knowledge or consent of the individual… if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
Unpack the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).
The Expansion of Personal Information Disclosure Without Consent: Unpacking the Government’s Weak Response to Digital Privacy Act Concerns
Bill S-4, the government’s Digital Privacy Act, was sent for review to the Industry Committee yesterday. The committee review, which comes before second reading, represents what is likely to be the last opportunity to fix a bill that was supposed to be a good news story for the government but has caused serious concern within the Canadian privacy community. While there are several concerns (I raised them in my appearance before the Senate committee that first studied the bill), the chief one involves the potential expansion of voluntary disclosure of personal information without consent or court oversight. Bill S-4 proposes that:
“an organization may disclose personal information without the knowledge or consent of the individual… if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
Translate the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).
The government is clearly aware that this is a major concern as it attempted to answer the critics during debate over Bill S-4 in the House of Commons yesterday. Unfortunately, the responses were incredibly weak. I’ve identified at least six responses from government sources below.
Government Rejects Supreme Court Privacy Decision: Claims Ruling Has No Effect on Privacy Reform
Having had the benefit of a few days to consider the implications of the Supreme Court of Canada decision in Spencer, the Senate last night proceeded to ignore the court and pass Bill S-4, the Digital Privacy Act, unchanged. The bill extends the ability to disclose subscriber information without a warrant from law enforcement to any private sector organizations by including a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. Given the Spencer decision, it seems unlikely that organizations will voluntarily disclose such information as they would face the prospect of complaints for violations of PIPEDA.
Despite a strong ruling from the Supreme Court of Canada that explicitly rejected the very foundation of the government’s arguments for voluntary warrantless disclosure, the government’s response is “the decision has no effect whatsoever on Bill S-4.”