Letter to the Standing Committee on Access to Information, Privacy and Ethics on the 2018-2019 Main Estimates

On May 29, 2018, the Privacy Commissioner of Canada, Daniel Therrien, sent the following letter to the Standing Committee on Access to Information, Privacy and Ethics to provide information requested during his appearance before the Committee for the 2018-19 Main Estimates on May 1, 2018.

May 29, 2018

Mr. Bob Zimmer, MP
Chair
Standing Committee on Access to Information, Privacy and Ethics
House of Commons
Sixth Floor, 131 Queen Street
Ottawa ON K1A 0A6

Dear Chair:

Thank you and Members of the Committee for the opportunity to appear before you on the 2018-2019 Main Estimates. I am writing in response to the questions posed during the meeting in which further information was requested regarding breaches and fines under the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”); and guidance was requested on how Parliament can address the issues raised by “data giants” to ensure they meet their responsibilities to Canadians. I was also specifically asked about what resources and tools I might need to assist in ensuring that companies respect their privacy obligations and in promoting public awareness of privacy issues.

Fines for breaches

The Committee asked for clarification of the fines that will apply to organizations that contravene PIPEDA’s new breach provisions. As the Committee is aware, as of November 1, 2018, PIPEDA’s existing offence provision will be expanded to include offences for:

knowingly failing to report to the Privacy Commissioner or to notify an individual of any breach of security safeguards that create a real risk of significant harm (section 10.1) and
knowlingly failing to keep and maintain a record of every breach of security safeguards (subsection 10.3(1).

Accordingly, as of November 1, 2018, the offence provision in section 28 of PIPEDA will state:

28. Every organization that knowingly contravenes subsection 8(8), section 10.1 or subsection 10.3(1) or 27.1(1) or that obstructs the Commissioner or the Commissioner’s delegate in the investigation of a complaint or in conducting an audit is guilty of

an offence punishable on summary conviction and liable to a fine not exceeding $10,000; or

an indictable offence and liable to a fine not exceeding $100,000.

The government has expressly stated its intention that organizations who deliberately fail to notify individuals of breaches of security safeguards under PIPEDA would potentially be subject to a fine for every individual that they failed to notify^{Footnote 1}. I believe this is a reasonable interpretation of the Act, having regard to the wording of the reporting obligations in subsections 10.1(1) and (3) of PIPEDA, which both refer to a breach that creates a real risk of significant harm to “an individual” or “the individual”, not individuals as a collective. However, given that prosecutions of offences under PIPEDA would not be undertaken by the Privacy Commissioner, I would suggest that the Committee contact officials at the Public Prosecution Service of Canada and Innovation, Science and Economic Development Canada to obtain further information about how they envision these provisions to be enforced in practice.

Regulating data giants

On the matter of effective measures to address the many challenges posed by companies that handle and profit from massive amounts of personal information, as I indicated to the Committee, my Office recently underwent a restructuring exercise with the goal of streamlining our work and moving it towards a more proactive approach for privacy protection,that focusses efforts where there can be an impact for the greatest number of Canadians. We have gone to great lengths to find efficiencies and make optimal use of existing resources and tools. Nonetheless, we find ourselves unable to keep pace with the challenges of an increasingly complex digital environment, in no small part because Canada’s privacy laws are not adapted to the realities of the 21^st century.

To sustain Canadians’ trust in the digital environment, innovation and economic growth must be balanced with privacy protection. Over the years, as the technology and business opportunities have evolved, my Office has also learned more about this environment but we are always struggling to keep pace, with only a partial view of a larger picture. We have certainly learned that we need to work with other privacy regulators here in Canada and around the world, and we are increasingly doing so. We have also learned that we need closer ties to regulators in other areas, such as competition law. We have begun to forge these links, but we are constrained by the parameters of the law. The Act only permits me to cooperate with other privacy enforcement authorities’ investigations; I cannot do the same with the Competition Bureau, CRTC, the Human Rights Commission, or Elections Canada, to name a few. We encountered this in a recent investigation involving Ashley-Madison, where we could cooperate with our counterparts in Australia and the Federal Trade Commission in the US, but we could not share information with the Competition Bureau. These offices are increasingly called upon to respond to the impacts arising from the digital environment. Having the authority to share information with other Canadian regulators would allow for more cooperation and would reduce redundancies. As was rightly noted during the appearance, the effects of the environment encompass more than privacy issues, including the intersection of privacy with traditional consumer protection and anti-trust issues. A holistic approach is needed to ensure that innovation and economic growth are balanced with other protections.

In addition to an enhanced ability to cooperate with other regulators, I would emphasize again the need for enhanced abilities to proactively look at organizations’ practices, not waiting until problems arise, with appropriate sanctions. Achieving the balance between economic growth and protection of rights is a lengthy iterative process and only time will reveal more clearly the steps required to get there. At present, we know our powers are not strong enough and enhancing them, to have a better understanding of the environment, is a good starting point. We require more authority to “look under the hood” and learn more thoroughly about company practices, including a lower threshold for audits and credible sanctions^{Footnote 2}.

While cross-border transfers of data have many benefits, ideally, international legal instruments should be in place to regulate these data flows to protect privacy and other fundamental rights. However, realistically, an international consensus on these issues may take quite some time to reach. In the meantime, personal information is subject to domestic laws, many inspired by the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. Allowing my Office to collaborate with other authorities (not only data protection authorities, which is a power I currently have and increasingly use) in other sectors, such as competition law, both domestically and internationally, would also help Canada maintain a leadership role in this area.

Finally, you asked about needed resources and tools. This challenging environment, characterized by rapidly evolving privacy threats, has placed unprecedented pressures on my Office’s finite resources. It has led us to request from government a modest $8M (30%) increase in permanent funding, to provide interim relief pending much needed legislative reform. If received, these funds would be focused on establishing a limited presence in our new proactive approach contemplating:

the need to arm organizations with more policy guidance on emerging issues;
the need to arm Canadians through education with the knowledge they need to take control of their privacy; and,
resourcing our overwhelmed investigative resources such that they can partially keep pace with the increased enforcement demands from both a reactive and proactive stance.

However, to bridge the gap between establishing a presence with our promotion and compliance efforts and having a true impact in protecting Canadians’ privacy rights, a more realistic budget increase of $23M (90%) might be required. This is the proportional increase recently granted by the UK government and Parliament to my counterpart, the Information Commissioner’s Office, whose staff will grow from 370 in 2017 to 700 in 2021. In providing this funding, the UK government showed its understanding of the need to uphold strong privacy laws in order to create a sustainable climate for economic growth.

What is the difference between establishing a presence with a 30% increase versus having a true impact at 90%? The former would allow us to undertake a limited number of proactive promotion and compliance activities and reduce but not eliminate our backlogs of complaints. The latter would equip my Office with a full suite of properly resourced Promotion and Compliance tools. We have already experienced a great deal of interest in our office providing more advisory services to business; right now, however, our limited advisory program would not come close to meeting such expressed demand.

Complete funding would provide for a full set of guidance documents and ensure that they remain current, which is essential when technological leaps result in the creation of new privacy risks every day. It would allow us to provide advice to more organizations that wish to use new technologies in a privacy compliant way. In focussing on improving citizen control of their privacy, we could use contextual advertising to bring individuals to our site when they are about to make a decision on whether to disclose their personal information. We would also develop effective strategies with regulators in other fields to ensure companies are held into account. And finally, full funding would allow my Office to be both proactive with the most egregious of privacy risks, and responsive in a timely way to all complaints, thus achieving a greater scope of compliance and deterrence amongst those departments and organizations wishing to remain on-side of Canada’s privacy laws.

I hope my comments are of assistance to you and I look forward to future opportunities to discuss privacy issues with the Committee.

Sincerely,

(Original signed by)

Daniel Therrien
Privacy Commissioner of Canada

c.c.:
Hugues La Rue
Clerk of the Committee

Footnote 1

See Issue number 7: Proceedings of the Standing Senate Committee on Transport and Communications. See statement of Minister Moore, appearing on behalf of Industry Canada (as it then was): “In addition, organizations that deliberately break the rules and cover up data breaches will face fines of up to $100,000 for every person or client they failed to notify.”

Return to footnote 1

Footnote 2

Under the GDPR, fines will amount to four percent of the organization’s annual revenues; in the United States, the Federal Trade Commission (FTC) has leveled sanctions of $20 million and higher in the form of settlement agreements; in Canada, the Competition Act provides for administrative monetary penalties to a maximum of $15 million, based on a variety of factors.

Return to footnote 2

Date modified:: 2018-06-06

Language selection

Search and menus

Search

Letter to the Standing Committee on Access to Information, Privacy and Ethics on the 2018-2019 Main Estimates

Fines for breaches

Regulating data giants