Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act
Submission to the Senate Standing Committee on Transport and Communications
Introduction
The Personal Information Protection and Electronic Documents Act (PIPEDA) received Royal Assent on April 13, 2000 and it came into force in stages, beginning on January 1, 2001. PIPEDA came fully into force on January 1, 2004.
PIPEDA applies to organizations that collect, use or disclose personal information in the course of commercial activities. It also applies to the collection, use and disclosure of personal information pertaining to the employees of federal works, undertakings and businesses (FWUBs) – banks, airlines, telecommunications and broadcasting companies and other federally regulated industries.
The Purpose of PIPEDA as set out in section 3 is:
"to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances."
The Parliamentary Review
PIPEDA contains a provision requiring a Parliamentary Review every five years following the coming into force. The purpose of the Review is to ensure that the legislation is operating as it should, with the desired effects.
The House of Commons Standing Committee on Access to Information, Privacy and Ethics (the Standing Committee) commenced a review in 2006 and issued its Report in May 2007 after hearing from more than 60 witnesses and receiving more than 30 submissions. The Review provided interested stakeholders with an opportunity to raise issues and identify possible changes to the Act to ensure that the broad policy objectives would continue to be met.
Bill S-4, the Digital Privacy Act, is the third Bill that has been introduced to update PIPEDA. Bill C-29, An Act to amend the Personal Information Protection and Electronic Documents Act (Safeguarding Canadians’ Personal Information Act) was introduced on May 25, 2010. Bill C-12, which was essentially identical to Bill C-29, was introduced on September 29, 2011. Both C-29 and C-12 died with prorogation. While S-4 contains some of the provisions in the previous Bills, it contains new provisions and it does not include some of amendments proposed in C-29 and C-12.
Comments On Specific Provisions In S-4
Bill S-4 amends many provisions in PIPEDA. On the whole, the proposed amendments will strengthen the privacy rights of Canadians with respect to their interactions with private sector companies, improve accountability and provide incentives for organizations to comply with the law. In particular, we welcome proposals to introduce a mandatory breach notification regime, and the compliance agreement provisions that will make it easier for our Office to ensure that companies meet the commitments they have made during investigations.
In general, we also support other proposed amendments that address problems or gaps that have become apparent during the more than thirteen years that PIPEDA has been in force. We will however raise some questions about the proposals to allow organizations to more easily disclose personal information to other organizations without consent and we will suggest improving an existing provision in PIPEDA (paragraph 7(3)(c.1)) not addressed in S-4.
Breach Notification
S-4 adds three new sections to PIPEDA: 10.1, 10.2 and 10.3, dealing with “Breaches of Security Safeguards”. An organization that has experienced a breach of security safeguards involving personal information under its control will be required to provide notification in three circumstances:
- to the Privacy Commissioner “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”;
- to the individuals whose personal information is involved “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”; and
- to other organizations or government institutions if the notifying organization believes that the other organization or the government institution may be able to reduce the risk of harm that could result from the data breach or mitigate that harm.
The definitions section defines a breach of security safeguards as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”
We strongly support these provisions. During the last few years we have seen a number of high profile data breaches both in Canada and abroad that compromised the personal information of Canadians. These provisions will create an incentive for organizations to take information security more seriously. In addition, they will provide individuals with information that will help them mitigate the risks resulting from the loss or unauthorized access of their personal information.
Implementing mandatory breach notification provisions will bring PIPEDA into line with many other jurisdictions:
- Alberta’s Personal Information Protection Act (PIPA) and some provincial personal health information protection acts contain mandatory breach notification;
- Almost every state in the United States has legislation making notification of individuals mandatory in certain circumstances; and
- The recently revised OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data contain a breach notification recommendation.
S-4 proposes a risk-based approach that will require organizations themselves to assess each incident on a case-by-case basis to determine the seriousness of the incident and its potential impact on the affected individuals. We support a risk-based approach. Furthermore, we believe that the organization experiencing the breach is in the best position to assess the risks to decide whether notification is warranted.
As for the threshold for notification, we believe it would be counterproductive to require organizations to notify individuals of all breaches. Similarly, we do not think it would be practical or efficient to require organizations to notify our Office of all breaches.
S-4 will require organizations to keep and maintain a record of every breach and provide our Office with a copy of this record on request.Footnote 1 Requiring organizations to keep a record of all breaches, including ones where a decision has been made not to notify is critically important. It will allow our Office to evaluate compliance with the notification provisions and assess how organizations are making the determination whether to notify.
S-4 contains related amendments to subsections 11(1) and 14(1) to allow for complaints and potential court review concerning a failure to comply with the breach notification provisions. These are important provisions that will provide redress for individuals who are affected by data breaches.
Compliance Agreements and Timelines for Federal Court Applications
A new section 17.1 will allow the Commissioner to enter into compliance agreements with organizations if the Commissioner “believes on reasonable grounds that an organization has committed, is about to commit or is likely to commit an act or omission” that could constitute a contravention of the Act or a failure to follow a recommendation set out in Schedule 1. The agreement may contain any terms that the Commissioner considers necessary to ensure compliance with the Act. If the Commissioner determines that the organization is not complying with the terms of the compliance agreement, the Commissioner must notify the organization and may apply to the Court for
- an order requiring the organization to comply with the terms of the agreement, in addition to any other remedies it may give; or
- a hearing under subsection 14(1) or paragraph 15(a) or to reinstate any suspended court proceedings.
At present, the Commissioner may seek resolution of a complaint to our Office through negotiation, persuasion and mediation. The Commissioner has no direct enforcement powers. She and/or the complainant have to apply to the Federal Court to seek an order requiring the respondent to take action to correct its practices or award damages to the complainant. In either case, the hearing will be a de novo litigation proceeding which requires considerable resources, and the application must be made within 45 days after a report has been issued unless special leave is obtained from the Court to file an application beyond this timeframe.
As the issues that we are addressing in investigations have become more complex, organizations sometimes require several months to implement our recommendations. If an organization fails to live up to its commitment to implement a recommendation within 45 days of the completion of our report, our ability to go to Court past this statutory deadline is uncertain. This can leave us little choice other than to initiate a court action prematurely, only to have to suspend it as negotiations pursue; or to initiate a new investigation so as to press the reset button on the 45-day deadline. Either way, this is not an efficient use of time or resources.
Giving us the authority to enter into voluntary compliance agreements formalizes what we have been trying to do in practice – effectively resolve issues to enhance the privacy of Canadians.
We strongly support these provisions. They will:
- make it easier for our Office to ensure that companies carry through on commitments they have made during investigations;
- provide an incentive for organizations to enter into an agreement and to honour their commitments;
- provide a recourse mechanism for our Office should organizations fail to live up to an agreement; and
- give all parties more flexibility to reach resolution of complex issues within a more realistic and reasonable timeframe as an alternative to immediate litigation.
Broadening Public Interest Disclosures
Bill S-4 will clarify the scope of the confidential information that the Commissioner can disclose when he or she considers it is in the public interest to do so. The proposed amendment will allow disclosure of “any information that comes to his or her knowledge in the performance or exercise of any of his or her duties or powers.” At present, subsection 20(2) of PIPEDA refers only to “information relating to the personal information management practices of an organization”. This will broaden the Commissioner’s ability to disclose more meaningful information in the public interest.
Clarification of Requirements for Valid Consent
The new section 6.1 being proposed states “the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting.”
PIPEDA already requires “knowledge and consent”. Principle 4.3.2 requires that “To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.”
We think this is an important and valuable amendment that will clarify PIPEDA’s consent requirements. By requiring organizations to make a greater effort to explain why they are collecting personal information and how it will be used, this proposed amendment should help make consent more meaningful for all individuals, particularly for young people for whom the digital world is an integral part of their daily lives.
Employee Information
S-4 contains four sets of amendments dealing with employee information:
Applicant Information
At present PIPEDA applies to the personal information of employees of federal works, undertakings or businesses (FWUBs). S-4 proposes to expand the application of the Act to the personal information of “an applicant for employment with” a FWUB. We support this change. Clarifying that PIPEDA applies to prospective employees of FWUBs fills a gap in the protection of “employee” information.
Collection, Use or Disclosure of Employee Information without Consent
A new section (7.3) is being added to allow FWUBs to collect, use or disclose without consent personal information “necessary to establish, manage or terminate an employment relationship.”
Obtaining meaningful consent in a workplace environment is very challenging given the uneven bargaining power between employer and employee. Artificially requiring consent in situations where it cannot be freely given or withheld risks watering down the value and meaning of consent more generally.
Although the requirement to obtain consent will be removed, a number of important protections will exist. First of all, the FWUB will have to inform the individuals that their personal information will be or may be collected, used or disclosed for the specified purposes. Secondly, the new section limits the collection, use and disclosure to that “necessary” for these purposes.
The term “necessary” in the new section is critical because of the new ways that organizations can collect information about employees and prospective employees, for example, through Internet searches and from social networks.
Finally, subsection 5(3) will continue to apply. This states that an organization may collect, use or disclose personal information “only for purposes that a reasonable person would consider appropriate in the circumstances.” This would allow us, for example, to investigate a complaint about an employer that may be inappropriately collecting personal information about employees, or prospective employees, from social networking sites.
Work Product Information
S-4 contains three amendments allowing the collection, use or disclosure, without consent, of information “produced by the individual in the course of their employment, business or profession.” This information is typically referred to as “work product” although the term is not used in S-4.
Our Office has consistently opposed excluding or carving out work product from the definition of personal information on the grounds that doing so could result in intrusive workplace monitoring and other unintended or unanticipated consequences, since this information would no longer be protected by PIPEDA at all. We prefer instead to deal with work product issues under PIPEDA on a case-by-case basis that allows us to determine the true nature of the information in a given context.
We are pleased that S-4 does not categorically exclude work product from the definition of personal information. The Bill proposes to remove the requirement to obtain consent but other protections would remain such as the collection limitation principle, the requirement to safeguard the information and the right of access and correction.
As well, we are pleased that the consent exemption for work product information would only apply if the collection, use or disclosure was “consistent with the purposes for which it was produced.” This is an important limitation which we support. We can accept these amendments provided that S-4 does not exclude work product information from the definition of personal information and that the collection, use or disclosure of this information is limited to consistent purposes.
Business Contact Information
The existing definition of “personal information” in PIPEDA excludes the “name, title or business address or telephone number of an employee of an organization”. This means that this information is not subject to PIPEDA.
S-4 proposes to remove the reference to this business contact information from the definition of personal information and add a new definition of business contact information defined as “an individual’s name, position name or title, work address, work telephone number, work facsimile number, work electronic mail address and any similar information about the individual.”
In addition, section 4 of PIPEDA dealing with the Application of the Act will be amended to state that the Act does not apply to business contact information provided it is collected, used or disclosed “solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.”
This means that an organization could use an employee’s or a professional’s telephone number or e-mail address to contact him or her about the services offered by the business without engaging PIPEDA. However, if the organization used the telephone number or e-mail address in an attempt to sell an unrelated product or service, the organization would be required to comply with PIPEDA.
These proposed amendments make sense. Communicating by e-mail has become routine in the 13 years since PIPEDA came into force. The specific purpose limitation at the end provides additional protection for all business contact information. This strikes the right balance.
Disclosures without Consent
Communicating with the Next of Kin
At present, paragraph 7(3)(c.1) allows organizations subject to PIPEDA to disclose information, without consent, to a government institution, or part of a government institution that has requested the information and identified “its lawful authority” in three situations.
S-4 adds a situation in which an organization can disclose without consent under 7(3)(c.1):
“for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual.”
This proposed amendment would, for example, allow a telecommunications company to disclose to a law enforcement agency an unlisted telephone number needed to contact the next of kin or it would allow an air carrier to release the names and contact information of passengers involved in an accident. The British Columbia and Alberta private sector acts have similar provisions.
Identification of Injured, Ill or Deceased Persons
A new paragraph 7(3)(d.4) is being proposed to allow an organization to disclose information to a government institution or part of a government institution or the individual’s next of kin or authorized representative to identify an individual who is injured, ill or deceased. If the individual is alive, the organization has to inform the individual in writing of the disclosure.
This provision is designed to deal with what should be relatively rare situations where a law enforcement agency or other government body needs the personal information to confirm identity.
The two proposed amendments discussed above add new grounds for disclosing personal information without consent for compassionate or humanitarian purposes. We support these provisions; we believe there is little risk of abuse; and do not anticipate that they will be used frequently.
Financial Abuse
A new paragraph 7(3)(d.3) is being proposed to allow an organization on its own initiative to disclose information to a government institution or part of a government institution or the individual’s next of kin or authorized representative, if “the organization has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse” and the disclosure is made solely for the purpose of investigating or preventing the abuse. In addition, the organization has to reasonably expect that disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse.
The banking industry has been calling for this provision to deal with the financial abuse of seniors although it is not limited to seniors. We understand the rationale for the proposed amendment; however, we would urge the Committee to consult with financial institutions, seniors’ organizations and other stakeholders on the ground to get a real sense of the scope or severity of the problem this provision is intended to address. Ultimately, the challenge will be to weigh the need to protect persons in vulnerable situations from real risk of financial abuse with the need to respect their privacy and dignity.
Disclosures without Consent to another Organization (Replacing the Investigative Body Scheme)
PIPEDA currently provides – in paragraphs 7(3)(d) – that an organization can disclose personal information, without the knowledge or consent of the individual, to an investigative body when there are “reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed.”
The Act does not define the term “investigative body”. The Act allows the Governor in Council under paragraph 26(1)(a.01) to designate investigative bodies. There are currently approximately 75 investigative bodies. Each application is confirmed by regulation which is resource intensive and time-consuming.
The Standing Committee recommended that PIPEDA be amended to replace the process of designating investigative bodies with a definition of investigation similar to that found in the Alberta and British Columbia Personal Information Protection Acts.
Bill S-4 proposes to eliminate the investigative body regime. In its stead, two new paragraphs 7(3)(d.1) and 7(3)(d.2) will be added to allow an organization to disclose personal information without consent to another organization if:
- it is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation; or
- is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud.
These discretionary amendments would roughly align PIPEDA with the British Columbia and Alberta laws that do not have an investigative body regime. The BC and Alberta laws define “investigation” and “proceeding”Footnote 2 and allow the collection, use or disclosure of personal information without consent if it is reasonable for these purposes.
While we understand the challenges created by the existing investigative body regime, we have some reservations about the proposed amendments. First, we believe that the grounds for disclosing to another organization are overly broad and need to be circumscribed, for example, by defining or limiting the types of activities for which the personal information could be used. The proposed 7(3)(d.2) would allow disclosures without consent to another organization to “prevent fraud”. Allowing such disclosures to prevent potential fraud may open the door to widespread disclosures and routine sharing of personal information among organizations on the grounds that this information might be useful to prevent future fraud. For example, this could lead to the creation of black lists based merely on suspicion. We therefore suggest that the reference to preventing fraud be removed.
The threshold for these disclosures also raises questions. Bill S-4 would allow disclosures that are “reasonable” for the stated purposes, whereas we recommend the threshold be amended to “necessary”, as was the case with predecessor Bills C-29 and C-12.
Finally, there is the issue of transparency. These disclosures will be invisible to the individuals concerned and to our Office. In order to provide greater accountability, we recommend that the Committee consider ways to require organizations to be more transparent about the disclosures they would make under this provision.
Furthermore, the decision to disclose should be made on a case-by-case basis and the disclosing organization should document and conduct appropriate due diligence to ensure such disclosures are reasonable, or necessary if our suggestion is accepted, for the stated purpose and that obtaining consent would very likely compromise this purpose.
Collection, Use and Disclosure of Witness Statements
S-4 contains three separate amendments allowing an organization to collect, use or disclose witness statements without consent provided it is “necessary to assess, process or settle an insurance claim.” (emphasis added). These amendments were added at the request of the insurance industry.
While we understand the insurance industry’s position we are not convinced that there is a compelling need for these amendments. We have not been presented with any information demonstrating that the absence of these provisions has created a problem for the industry. If this amendment is adopted we believe that it is essential to retain the important qualification in S-4 that the collection, use or disclosure be “necessary” for the stated purposes to limit the potential for “fishing expeditions”.
Use and Disclosure of Personal Information for “Business Transactions”
There are currently no provisions in PIPEDA that allow the disclosure of personal information without consent for due diligence purposes in anticipation of the sale or transfer of business assets. Other legislation such as Ontario’s Personal Health Information Protection Act (PHIPA) and the Alberta and British Columbia private sector acts contain provisions allowing disclosures subject to stringent confidentiality agreements.
Bill S-4 proposes to add a new section 7.2 to allow organizations contemplating a “business transaction” to use and disclose personal information without consent subject to certain conditions and safeguards.
The organizations that are parties to the prospective business transaction can only use and disclose the personal information if it is necessary to determine whether to proceed with the transaction and to complete the transaction (emphasis added). In addition,
- the organization receiving the personal information has to enter into an agreement to use or disclose the information only for the specific purpose, to protect the information and to return or destroy the information if the transaction does not proceed;
- if the transaction is completed, the parties have to enter into an agreement to limit the use or disclosure of the information to the purposes for which it was collected, to protect it and to honour any withdrawals of consent; and
- following completion, one of the parties has to notify the affected individuals of the transaction and the disclosure.
Subsection 7.2(4) contains a further limit on the use of these provisions. It states that they do not apply in the case of a business transaction “of which the primary purpose or result of the transaction is the purchase, sale or other acquisition or disposition, or lease, of personal information.”
We understand the rationale for these amendments. If these proposed business transactions provisions are adopted, the accompanying safeguards and limitations are needed, in our view, to minimize the risk that these new provisions will be abused.
Other Amendments
Section 25 of PIPEDA requires the Commissioner to submit a report to Parliament “as soon as practicable after the end of each calendar year.” However, section 38 of the Privacy Act requires the Commissioner to submit an annual report to Parliament “within three months after the termination of each financial year.” This means that we have two different reporting periods for PIPEDA and the Privacy Act. As a result, we produce two separate annual reports, which is not an efficient use of resources, particularly since not all issues can be neatly categorized as coming under either PIPEDA or Privacy Act and we frequently end up discussing the same issue in both reports. We are pleased that S-4 proposes to amend PIPEDA to allow us to report on PIPEDA on a financial year basis to coincide with our Privacy Act annual report.
A Word about Transparency: Disclosures without Consent under Paragraph 7(3)(c.1)
We applaud the provisions in Bill S-4 that will create greater accountability and transparency to organizations’ personal information handling practices. In that same spirit, however, we believe more transparency is required around paragraph 7(3)(c.1) disclosures.
Paragraph 7(3)(c.1) states that an organization may disclose personal information to a government institution or part of a government institution without the knowledge or consent of the individual if the government institution has requested it; has identified its “lawful authority”; and has indicated one of the following:
- it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;
- the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law; or
- the disclosure is requested for the purpose of administering any law of Canada or a province.
This provision is discretionary; it does not require the organization to disclose the requested information. Organizations can refuse these requests and many do so when they believe the requesting authority should obtain a court authorized order. However, we know that many organizations do disclose personal information in response to requests from law enforcement and other government agencies with more or less push back.Footnote 3
PIPEDA does not contain any provisions requiring organizations to report on these disclosures. In our PIPEDA reform paper, dated May 2013, we recommended that organizations be required “to publicly report on the number of disclosures they make to law enforcement under paragraph 7(3)(c.1), without knowledge or consent, and without judicial warrant, in order to shed light on the frequency and use of this extraordinary exception.” We suggested that organizations should at a minimum be required to keep a record of tombstone data related to such disclosures, and they should be required to post in a publically available fashion, the number of such disclosures that they make on a quarterly basis.
We made a similar recommendation in our January 2014 Special Report to Parliament, “Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance.” In fact, many organizations, particularly in the U.S., already report on such disclosures at no apparent disadvantage or detriment to their bottom line.
We would urge the Committee to consider ways to enhance the transparency of these disclosures.
Conclusion
Bill S-4 is the result of a Parliamentary Review that took place seven years ago. It reflects a world in which cloud computing, big data, smart phones and tweeting were not everyday realities. Today, massive amounts of personal information are being collected, analyzed, combined with other data and used in ways that few people can comprehend. These changes threaten to erode the trust on which today’s digital economy rests.
Given the huge changes that have taken place in our society and in the global business environment we believe it is critical to update PIPEDA to ensure it is still fit for purpose. When it was introduced, PIPEDA was considered a leader for its technology-neutral, principles-based approach. However, the past decade has seen the emergence of new generation privacy laws that have institutionalized breach notification requirements and given privacy enforcement authorities stronger powers – leaving PIPEDA sorely lagging behind.
Canada has long been a leader in privacy. Passing Bill S-4 will help us remain a leader in ensuring the adequate protection of Canadians’ privacy interests and building the trust needed for a vibrant and sustainable digital economy. In particular, the mandatory breach notification requirements and the voluntary compliance agreement provisions in Bill S-4 will make the Act stronger and will help to create the incentives needed to restore some balance in PIPEDA.
We look forward to an eventual review of PIPEDA to ensure that it can meet the challenges posed by the digital age.
- Date modified: