Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act (the Digital Privacy Act)

Submission to the Standing Committee on Industry, Science and Technology

February 12, 2015

Mr. David Sweet, M.P.
Chair of the Standing Committee on Industry, Science and Technology
131 Queen Street, 6^th Floor
Ottawa, Ontario  K1A 0A6

Dear Mr. Sweet:

The Office of the Privacy Commissioner made a submission in June 2014 before the Senate Transport and Communications Committee on Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act (the Digital Privacy Act) which it presented on invitation of the Committee.
The submission is posted on our website.

Although the submission was prepared before I was appointed Commissioner, I endorse the content of this submission and would be very pleased to see Bill S-4 become a reality. However, given the discussion of Bill S-4 at the Senate Committee and in light of the Supreme Court’s seminal decision, R. v. Spencer (“Spencer”), I would like to comment further on two issues.

This letter elaborates on the Office’s submission to the Senate with respect to the proposed paragraphs 7(3)(d.1) and (d.2) and, given Spencer, it highlights the need to ensure that paragraph 7(3)(c.1) disclosures respect the Spencer decision.

The Existing Investigative Body Regime

Bill S-4 proposes to add two new paragraphs 7(3)(d.1) and 7(3)(d.2) to allow an organization to disclose personal information without consent to another organization if:

• it is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation; or
• is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud.

These paragraphs are effectively being proposed to replace the existing “investigative body” provision in 7(3)(d) that permits an organization to disclose personal information, without the knowledge or consent of the individual, to an investigative body when there are “reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed.”  Also under the existing regime, a separate paragraph, 7(3)(h.2) allows an investigative body, in turn, to disclose personal information when it is “reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.”

Though not perfect, the existing investigative body regime at least contains some important accountability safeguards:

• Organizations seeking investigative body status must justify their need to conduct investigations pursuant to their mandate;
• A third party (Industry Canada) reviews applications from the organizations seeking investigative body status to whom disclosures of personal information without consent can be made;
• The Governor in Council, under paragraph 26(1)(a.01), has to designate these organizations as investigative bodies through the regulatory process, allowing other parties to comment and;
• A list of all the investigative bodies is publicly available at all times.

These safeguards provide some transparency and help balance organizations’ needs to protect their legitimate business interests with individuals’ right to privacy, by ensuring that such disclosures are limited to specific organizations, including regulatory bodies, tasked with conducting investigations. In addition, paragraph 7(3)(d) makes it clear that these disclosures without consent are to be made on the “initiative” of the disclosing organization (emphasis added) and not on request of the investigative body.

Paragraphs 7(3)(d.1) and (d.2)

The safeguards discussed above would not be carried over into paragraphs 7(3)(d.1) or (d.2). These proposed amendments permit disclosures based on a lower threshold (“reasonable for the purpose” of investigating a breach of an agreement or a contravention of a law rather than “reasonable grounds to believe” that the information relates to a breach or contravention) and for a broader range of purposes (including “to prevent, detect or suppress” fraud).

Allowing disclosures without consent to another organization to “prevent, detect or suppress” fraud, without reasonable grounds to believe that fraud is a real problem in the first place, may open the door to widespread disclosures and routine sharing of personal information among organizations based on a hypothetical risk of fraud. For example, this could lead to fishing expeditions to obtain information about individuals based merely on suspicion. Moreover, once the transparency of the investigative body regime disappears, there will be no mechanism to identify to which organizations personal information is being disclosed or to determine for what general purpose based on their mandate. 

Our Recommendation on paragraphs (d.1) and (d.2)

To summarize, if adopted, paragraphs 7(3)(d.1) and (d.2) will potentially allow a larger, unspecified number of organizations to receive personal information without consent for a broader range of purposes under a lower threshold than is presently the case. Moreover, the existing investigative body regime provides a measure of transparency and accountability which will disappear under Bill S-4.

As a result, we cannot support the adoption of the two paragraphs in their current form.  While we can understand the need for organizations to have provisions in place to address fraud, this proposed solution is too expansive in scope.  We therefore recommend that paragraphs 7(3)(d.1) and (d.2) be removed from the Bill and that PIPEDA maintain the existing investigative body regime.  

If, however, the government remains committed to doing away with the existing investigative body regime, we would recommend that the thresholds and grounds currently in paragraph 7(3)(d) of PIPEDA be carried over into the new provisions 7(3)(d.1) and (d.2),  and that a transparency mechanism be added:

• The threshold under paragraph 7(3)(d.1) should be based on a “reasonable grounds to believe” that the information relates to an actual breach or contravention;
• The threshold under paragraph 7(3)(d.2) should be based on a “reasonable grounds to believe” that the information relates to the detection or suppression of fraud that “has been, is being or is about to be committed”;
• Disclosures under paragraphs 7(3)(d.1) and (d.2) should only be permitted at the initiative of the disclosing organization and not at the request of an organization; and
• In order to enhance transparency and accountability, the disclosing organization should be required to document and conduct appropriate due diligence to ensure all disclosures comply with the requirements of the Act.

To expand on the last point, disclosing organizations should be required to report publicly on the number of disclosures being made and the types of organizations involved. Disclosing organizations should also be required to document the analysis undertaken in deciding to disclose information under this provision. These mechanisms would aid in holding organizations accountable for disclosures that would otherwise be invisible.

The Spencer Decision and Paragraph 7(3)(c.1) Disclosures

Paragraph 7(3)(c.1) permits an organization subject to PIPEDA to disclose an individual’s personal information without his or her knowledge or consent if the disclosure is made to a government institution that has made the request for the information, identified its “lawful authority” to obtain the information and indicated that the information requested is for a specified purpose.  In our Senate appearance last June, we called for an additional amendment to PIPEDA that would require organizations to annually report on the numbers of discretionary disclosures it makes under section 7(3)(c.1) as a means of increasing transparency and public accountability to Canadians.

Subsequent to our Senate appearance, the Supreme Court of Canada released its decision in R. v. Spencer which calls for a few additional remarks in respect of paragraph 7(3)(c.1) of PIPEDA. In its unanimous decision, the Supreme Court of Canada held that “lawful authority” within the meaning of paragraph 7(3)(c.1) must mean something other than a subpoena or a warrant which is already provided for in paragraph 7(3)(c).  Paragraph 7(3)(c.1) allows warrantless disclosures to government institutions with requisite “lawful authority” to obtain this information, but does not, in itself, create or provide government institutions with warrantless search and seizure powers. Rather, “lawful authority” must find its source outside of PIPEDA and may include authorization by a reasonable law, police authorization to conduct warrantless search in exigent circumstances, or common law authority of police to ask questions relating to matters that are not subject to a reasonable expectation of privacy.

 While organizations subject to PIPEDA may be able to ascertain the existence of “lawful authority” on the face of a reasonable statute, or in a relatively clear situation of exigent circumstances, their ability to assess whether or not personal information attracts a “reasonable expectation of privacy” is a very tall order.

Carrying out a reasonable expectation of privacy analysis is highly complex and contextual. As the Supreme Court of Canada determined, a reasonable expectation of privacy analysis turns not only on the specific information being sought, but on its potential to reveal other personal information about the individual. This analysis is rendered all the more difficult in an online context and as the Court highlighted, “the provisions of PIPEDA are not of much help in determining whether there is a reasonable expectation of privacy in this case.” 

As a result, organizations are left in a state of uncertainty and ambiguity as to when they may or may not disclose personal information without warrant. More specifically, they are left with the challenging task of determining when law enforcement officials are properly exercising their common law authority to ask questions relating to matters that are not subject to a reasonable expectation of privacy.

Different telecommunications service providers appear to be responding to Spencer in different ways, with some requiring legal authorization for the disclosure of any basic subscriber information except in life-threatening emergencies. For their part, law enforcement and government institutions appear to have significantly varying practices in making and documenting warrantless access requests under paragraph 7(3)(c.1), which may become even more variable post-Spencer. This leaves individuals in the dark about when their personal information may be disclosed to state authorities without their consent or prior judicial authorization.

We would therefore urge the Committee to recommend putting an end to this state of ambiguity by clarifying when, post-Spencer, the common law policing powers to obtain information without a warrant can still be used. I believe that a legal framework, based on the Spencer decision, is needed to provide clarity and guidance to help organizations comply with PIPEDA and ensure that state authorities respect the Supreme Court of Canada’s decision.  Such a framework would provide Canadians with greater transparency about private sector disclosures of personal information to state agencies.

In our submission to the Senate on Bill C-13, the Protecting Canadians from Online Crime Act, we recommended that Bill C-13 be amended to reflect the R. v. Spencer decision.  More specifically, we recommended that the new immunity clause being proposed in Bill C-13 state explicitly that discretionary disclosures to law enforcement and other government officials following a warrantless request be limited only to situations where there are exigent circumstances, pursuant to a reasonable law, or in prescribed circumstances where personal information would not attract a reasonable expectation of privacy. 

Bill C-13 received Royal Assent on December 9, 2014, without amendment. I would recommend that Parliament achieve the same objective of clarity, certainty and transparency by alternative means of a clarifying provision in PIPEDA that would define “lawful authority” for the purposes of paragraph 7(3)(c.1) in the same manner I proposed above, that is, where there are exigent circumstances, pursuant to a reasonable law other than paragraph 7(3)(c.1) of PIPEDA^{Footnote 1}, or in prescribed circumstances where personal information would not attract a reasonable expectation of privacy.

Enhancing Transparency of Disclosures

In our submission to the Senate on Bill S-4 in June 2014, we commented on the need for greater transparency concerning disclosures made without consent by organizations at the request of a government institution or a part of a government institution. The Spencer decision reinforces the importance of transparency; greater transparency will act as a check to help ensure that the spirit and intent of the Supreme Court of Canada’s decision is respected.

Some Canadian telecommunications service providers have started to issue “transparency reports” revealing the number of requests they have received from government departments and agencies for subscriber information about its customers. This is a positive first step but it only addresses one sector of the economy.

We continue to believe that greater transparency is required and that all organizations subject to PIPEDA should, at a minimum, be required to keep a record of tombstone data related to such disclosures, and they should be required to publicly post, on a regular basis, the number of such disclosures that they make both with and without a warrant. This public reporting requirement has become all the more important given the significant new scope of investigative powers afforded to public officers under the newly adopted Bill C-13 and would complement the Annual Report on the Use of Electronic Surveillance, tabled annually in Parliament since 1977.

Conclusion

Overall, the introduction of Bill S-4 is a positive development for privacy protection in Canada. PIPEDA was written in the 20th century. It is more than a decade old. From a privacy perspective, the world has changed dramatically during this relatively short time. Passing Bill S-4 with a few adjustments will strengthen PIPEDA and help the Office of the Privacy Commissioner better protect Canadians while addressing the emerging privacy issues of the 21st century.

Sincerely,