The Standing Senate Committee on Transport and Communications

TRCM 51514 UNREVISED – NON-RÉVISÉ 0930- 1

THE STANDING SENATE COMMITTEE ON TRANSPORT AND COMMUNICATIONS

EVIDENCE

OTTAWA, Tuesday, June 10, 2014

The Standing Senate Committee on Transport and Communications, to which was referred Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act, met this day at 9:30 a.m. to give clause-by-clause consideration to the bill.

Senator Dennis Dawson (Chair) in the chair.

The Chair: Today, we are scheduled to conduct a clausebyclause examination of Bill S4, an Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act. It is also known by its short title, the Digital Privacy Act. Bill S4 amends the federal private-sector privacy act.

Before we do this, I would like to remind the senators of a few points. If, along the way, you want clarification, if we are going too fast or too slow on the amendments or the discussion, feel free to interrupt, and “Beauchesne” and I will try to address your issues, Beauchesne being Daniel “Beauchesne” Charbonneau. When we get there, if there is opposition, we'll deal with it. I think the critic of the bill wanted to make some comments.

Senator Furey: I did, chair. I wanted to propose a couple of amendments. I am just wondering whether we can have a general discussion about that proposal because we have some people here from the department who could perhaps answer some questions. Should we just do it when we come to the appropriate clauses?

The Chair: If anybody has some opening comments, we'll go clausebyclause. We did request that some people from Industry Canada be here and come to the table if questions are to be asked.

Senator Furey: Perhaps we can have them at the table, and I could talk about the amendments. Then, we could go clausebyclause if that's oak.

Senator Plett: I certainly have no issue with the officials coming to the table and sitting here for the entire time, but I would suggest that, if we want to discuss any amendments, we do so when we get to that particular clause as I also have an amendment. So, if Senator Furey is agreeable to that I think both of his amendments are around section 7 could we wait until we get to that section before we have a general discussion on those?

Senator Furey: I'm fine; either way is good with me.

The Chair: So we won't argue about the title of the bill?

Welcome. We'll wait for the questions. Maybe you could introduce yourselves before we start.

Mr. Padfield: I'm Chris Padfield, Director General of Digital Policy at Industry Canada.

Mr. Clare: I'm John Clare. I'm the director of privacy and data protection policy.

The Chair: Is it agreed that the committee proceed to clausebyclause of Bill S4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act?

Hon. Senators: Agreed.

The Chair: Agreed.

Shall the title stand postponed?

Hon. Senators: Agreed.

The Chair: Shall clause 1 stand postponed?

Hon. Senators: Agreed.

The Chair: Shall clause 2 carry?

Hon. Senators: Agreed.

The Chair: Shall clause 3 carry?

Hon. Senators: Agreed.

The Chair: Shall clause 4 carry?

Hon. Senators: Agreed.

The Chair: Shall clause 5 carry?

Hon. Senators: Agreed.

The Chair: Shall clause 6 carry?

Some Hon. Senators: Agreed.

Senator Furey: I propose that Bill S-4 be amended in clause 6,

(a)  on page 5,

(i)  by deleting lines 14 so 21, and

(ii)  by relettering paragraphs 7(3)(d.2) and (d.3) as paragraphs 7(3)(d.1) and (d.2) respectively;

(b)  on page 6 by relettering paragraph 7(3)(d.4) as paragraph 7(3)(d.3); and

(c)  on page 7 by adding after line 6 the following:

"(14.1) Section 7 of the act is amended by adding the following after (3):

(3.1) Except where otherwise expressly provided by law and subject to subsection (3.2), an organization shall notify the individual of any disclosure of his or her personal information made by it under subsection (3), and the purposes for which that disclosure was made, within 60 days of the disclosure.

(3.2) On the application of a government institution, the Court may grant an order that notification under subsection (3.1) be delayed if the Court is satisfied that it is in the public interest to do so.

(3.3) An organization that discloses personal information under subsection (3) during a fiscal quarter of a fiscal year shall, as soon as feasible after the end of that fiscal quarter, submit to the Commissioner a report on the number of disclosures of personal information made by it under subsection (3) during that fiscal quarter, indicating

(a) the total number of disclosures made;

(b) the number of disclosures made in respect of each of the applicable circumstances set out in paragraphs 3(a) to (h.1); and

(c) the number of disclosures that included each of the following classes of personal information:

(i) name,

(ii) address,

(iii) electronic mail address,

(iv) telephone number,

(v) electronic message content,

(vi) computer data,

(vii) Internet protocol address,

(viii) Uniform Resource Locater, and

(ix) any other class of personal information specified by the Commissioner.

(3.4) The Commissioner shall make public the name of any organization that submits a report under subsection (3.3), together with the information referred to in paragraphs 3.3(a) to (c) that is contained in the report.

I would like to deal with those as two separate parts, chair, the first being the elimination of the disclosure of company to company.

Right now, the bill permits government organizations to disclose back and forth. We're not touching that. We're saying that's fine. But we're saying that for companytocompany disclosure, we'll end up with a situation like that of our neighbours to the south where companies that come trolling for information about downloading music and movies basically end up attacking individuals who have no idea that this information has been supplied. I had these discussions with the department, and they see in the present clause a fourpart test. Companytocompany disclosure must be reasonable. According to this section, a breach must have occurred or is about to occur. As well, it must be reasonable to believe that obtaining the consent would compromise an investigation.

Colleagues, my fear with this is that it expands on what's already in PIPEDA from government organizations. As I said, it's not the intention of this amendment to interfere with or to change that; but when you expand it to private sector, and I don't think those points are strong, companies can gather information that they can use to sue individuals who have no idea that this information has been disclosed.

Mr.Padfield, would you like to respond?

Mr. Padfield: I would like to point out that under PIPEDA currently there is a section on investigative bodies that actually regulate the entities that do those exchanges. Under PIPEDA as it exists, there is an exchange of information between companies. There are regulating schedules at the back of PIPEDA that outline the number of entities that do such exchanges. They are like investigative services, the division of the insurance bureau, where you have insurance companies sharing information to ensure there is not fraud being committed. The Bank Crime Prevention and Investigation Office of the Canadian Bankers' Association does these kinds of exchanges.

The amendment isn't to add anything new but to change how these activities are regulated. In the past, entities making these exchanges of personal information without consent were doing so as an investigative body. The intent of the amendment is to regulate those kinds of activities.

Senator Furey: Proposed subsection (d.2) still allows that to go on; but why do you want to have uncontrolled exchange of information from company to company? Why is that necessary? Why would you put that in there?

Mr. Padfield: I wouldn't say it's uncontrolled. As you mentioned, there is the fourpart test, which we think is fairly rigorous in terms of being able to demonstrate that you're content to not require

Senator Furey: Let's examine the fourpart test. The first one is reasonableness, correct?

Mr. Padfield: Correct.

Senator Furey: Not a very stringent test.

Mr. Padfield: or made to another private sector organization -- reasonable for the purpose of investigating a breach of an agreement or a contravention of the law.

Senator Furey: They have access to warrants. The company can do it the old way and get a warrant if they think there is a breach of their contract and get the information that way. Why are we adding to this bill an allowance for them to just go and get the information? They can ask for it and get it.

Mr. Padfield: It's a timeliness issue.

Senator Furey: It should be a timeliness issue when you're talking about the privacy of Canadians. I don't see the need for it. I can understand for government institutions and the police and exigent circumstances like 9/11. I'm saying about this amendment, let's not allow companies to request information and get it freely without any warrants or anything else.

Mr. Padfield: Not all activities covered by this section would be criminal in nature. Take some of the colleges listed in the schedule, such as the College of Physicians and Surgeons

Senator Furey: Sorry, I'm going to cut your off there. It doesn't say "criminal." It says "contravention of the laws of Canada." Contract laws are laws of Canada. It doesn't necessarily have to be criminal. If they were just criminal, it would have a different cast over it altogether. Criminal activity is still covered because the police can still get this information. We're not touching that or changing it.

With the way this is worded, I could go to a company and say, "I have a movie that has been downloaded. I have the patent right to it. It's against the laws of Canada to breach my patent. I want all that information." According to this, okay no problem; here it is. Why would we do that?

Mr. Padfield: I go back to original intent and having the investigative bodies system in place for a number of years. Alberta and B.C. are moving toward a similar method. When we had the last parliamentary review, the recommendation was that we move to the process closer to what those two provinces have. We're streamlining to make sure the federal statute reflects what's going on in B.C. and Alberta.

Senator Furey: This broadens the scope so much. We had a witness before the committee, unfortunately I wasn't here, and I reviewed the testimony. One thing that he said is a problem in the U.S. is patent trolling. I'm sure you know what that is. To review it, a company says, "Your users are downloading my movies. I want access to all your information." So, you give them access to all the information. They contact all the people, threaten to sue them and end up settling for $5,000 a small number but to average individuals a large number. This is becoming a multimillion dollar industry in the U.S. attacking people. Now we're saying that companies should give out information between each other willy-nilly. Why would we do that?

Mr. Padfield: I can't speak to the differences in copyright law between Canada and the U.S.

Senator Furey: I'm not talking about copyright law. I'm talking about infringements. All I have to do is reasonably say to another company, "I think, based on the following usage tables, that your users are downloading my movies. I want their names and IP address." I can contact them and say, "I'm going to sue you; but if you don't want me to sue you, send me a cheque for $5,000."

Mr. Padfield: I'd only add the fourth test: You must be reasonable about obtaining consent.

Senator Furey: The reasonableness is not in the minds of you and me. Rather it's the test between the two companies trading this information. For the provider to supply my IP address to another company, they only have to do is say, "He's got information here and the usage definitely looks like there's been copyright infringement a breach of the law. Here is the information." I have a real problem with that.

Anyway, thank you for your answers.

Senator Mercer: I share Senator Furey's concerns. I'm not a lawyer, but I am someone who firmly believes in the Charter of Rights and the Constitution. I'm not sure these provisions would survive a charter or constitutional challenge for the protection of the privacy, given the reasonable expectations of Canadians to privacy, by allowing the free flow of information from one corporate entity to another corporate entity without their agreement.

We talked about reasonableness. Who determines what's reasonable? Reasonable is a fluid term. What's reasonable to Senator Demers and Senator Plett may not be reasonable to me. Who is reasonableness do you settle on? It's reasonable to me that your company would give me information that's going to allow me to go after a number of people who have been using my product inappropriately.

Why shouldn't there be another step in there such that I have to say why I believe that and put the evidence on the table. Then somebody can say, "Okay, that sounds reasonable." There has to be a step in there for reasonableness.

There is a reason that this bill was introduced in the Senate. I think it was introduced in the Senate because we could have this debate we're having today and hopefully make amendments today. We make good law here, and we try to fix bad law here when we get it from the other side. If we don't fix this bad law here and we think it's going to get fixed over in the other place, we're dreaming, because it's not going to be on. I think we need to pay very close attention to this and try to fix it.