Appearance before the Senate Transport and Communications Committee on Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act (the Digital Privacy Act)

June 4, 2014
Ottawa, Ontario

Opening Statement by Patricia Kosseim
Senior General Counsel and Director General
Office of the Privacy Commissioner of Canada

(Check against delivery)

---

Thank you, Mister Chair and members of the Committee, for inviting the Office of the Privacy Commissioner of Canada to discuss Bill S-4, an Act to amend the Personal Information Protection and Electronic Documents Act, or PIPEDA as it is commonly known.

Joining me today is Carman Baggaley, Senior Policy Analyst.

As you know the Office is in a period of transition.  We cannot speak on behalf of the soon to be appointed Commissioner.  But as you have asked us to appear today we will be presenting our views as they have evolved after more than ten years’ experience applying the Act under the leadership of Commissioner Stoddart and more recently, Interim Commissioner Bernier.

Let me begin by saying that we are pleased that the Government has introduced legislation to update PIPEDA.  This is the third such Bill that has been introduced and we hope that Bill S-4 will, in fact, result in legislation.

We have provided the Committee with a detailed written submission on Bill S-4 but given the limited time we have today, we will limit our comments to a few more noteworthy amendments.   

We believe Bill S-4 will strengthen privacy protections for Canadians in their dealings with private sector companies and build consumer trust in the digital economy.

In particular, we welcome the proposals to introduce mandatory breach notification and voluntary compliance agreements. 

Requiring notification of breaches that pose a “real risk of significant harm” will bring PIPEDA into line with notification laws that have been introduced in many other jurisdictions. The notification proposals in S-4 strike a reasonable balance in our view. 

Further, requiring organizations to keep and maintain a record of every breach, and provide our Office with a copy of this record on request is an important accountability mechanism that will allow our Office to evaluate compliance with the notification provisions and assess how organizations are making the determination whether to notify. 

The proposed compliance agreements are an innovative way of encouraging organizations to work with our Office to improve their practices while providing our Office with a recourse mechanism to ensure that companies carry through on commitments they make pursuant to our investigations. 

The proposal to extend the window for filing applications in Federal Court from 45 days to a year gives all parties more flexibility to resolve complex issues within a more realistic timeframe.  

We are also pleased by the proposed amendment to clarify the requirements for valid consent and by the proposal to broaden the scope of information we can disclose in the public interest.

The proposed amendments to allow disclosures to communicate with the next of kin, or to identify, an injured, ill or deceased person serve important compassionate or humanitarian purposes.  

The proposal to allow disclosures to facilitate business transactions addresses a gap that has become apparent since PIPEDA was passed.  The safeguards built into these provisions should minimize the risk of abuse.

We do, however, have some reservations about the two new proposed paragraphs 7(3)(d.1) and (d.2) that would allow an organization to disclose personal information to another organization without consent in certain circumstances.   We are concerned that these two amendments could lead to excessive disclosures that would be invisible both to the individuals concerned and to our Office.  In our submission we suggest some ways to minimize the risk of over disclosing and we urge the Committee to consider ways to require organizations to be more transparent about these disclosures.   

Lastly, we also believe more transparency is required around disclosures under paragraph 7(3)(c.1).  This paragraph allows organizations to disclose personal information without consent to government institutions with lawful authority to request information it suspects relates to national security, or for certain purposes, including law enforcement.

We recommend that, at a minimum, organizations should be required to keep a record of these warrantless disclosures, and make these data publicly available in aggregate form, as some American-based organizations currently do.

Thank you for this opportunity to appear, and we would be pleased to answer any questions you may have.