Bill S-4 : My Appearance Before the Industry Committee

This morning I appeared before the Standing Committee on Industry, Science and Technology to discuss Bill S-4, the Digital Privacy Act.

My opening remarks are posted below, I will provide the link to the full transcript once it is made available online.

 

Appearance before the Standing Committee on Industry, Science and Technology,
March 26, 2015

 Good morning,

Thank you for providing me with the opportunity to speak with you today. My name is Eloïse Gratton. I am a partner at Borden Ladner Gervais LLP and I also teach a privacy law course at the University of Montreal Law Faculty.

I’ve been practicing in the field of privacy law for over fifteen years and I represent a range of clients, mostly private sector businesses, from various industries. I appear today in a personal capacity, representing only my own views and not the views of my firm or its clients or other organizations with which I’m associated.

My time is limited this morning, so I’m going to first mention two provisions in S-4 that have my support, and then two that raise concerns.

I offer my support to two important provisions in the bill:

  1. Mandatory Breach notification

I welcome the proposals to introduce mandatory breach notification. This proposal comes at a time where breaches are often reported in the news, individuals are increasingly concerned with how their personal information is handled by organisations, and also at a time where the norm is already in place, meaning that many if not most organizations are already notifying the commissioners and affected individuals upon breaches that pose a “real risk of significant harm”. This proposal would bring PIPEDA into line with notification laws that have been introduced in other jurisdictions including in Alberta and the notification proposals in S-4 is striking a reasonable balance in my view.

  1. Business Transaction Exception

I also support the proposal to allow disclosures to facilitate business transactions. I think all jurisdictions would benefit from having these types of business transaction exceptions. If S-4 is passed, Quebec will be the only jurisdiction without a business transaction exception. I have already expressed my opinion, on many occasions in the past, the fact that the absence of a business transaction exception is unnecessarily complicating the due diligence and the closing processes of mergers and acquisitions. I also believe that the safeguards proposed into these provisions are properly addressing any concerns and any risk of abuse.

I have concerns with two provisions in S-4:

  1. Clarification on valid consent

 I know that many that have appeared before me to discuss S-4 have expressed their approval of the proposed amendment to clarify the requirements for valid consent. Yes, in theory, not many people would logically object to having a more stringent provision governing “valid consent” (s. 6.1).

Still, I have a few concerns with this proposal.

PIPEDA currently requires that consent be reasonably understandable by the individual. The questions that should be asked are: (i) Do we have a concern with this consent requirement? and if so, (ii) will the proposed amendment address such concerns.

If the proposed amendment is accepted, the message sent to organizations is that the way they used to get consent may no longer valid, and that perhaps they should be taking additional steps.

PIPEDA is based on a “notice and choice model” which may prove to be a real challenge in 2015. In my recent book “Understanding Personal Information” I have a chapter dealing with the challenges with this “notice and choice” approach. I was raising that in our day and age, it is debatable whether this model still makes sense and is a realistic one: very busy individuals with limited time are expected to review, understand and agree to various different – sometimes online – terms of use agreements, and keep up with new technologies and business models constantly evolving.

We have also already began witnessing how consent forms are now requiring a few additional clicks to ensure that express consents are obtained in compliance with the new Canadian Anti-Spam Law since under this law, certain information has to be brought to the attention of the user separate and apart of the standard terms of use agreement

I am mostly concerned that this type of amendment will be translated by organizations including additional verbiage in their already very long privacy statements and by requiring more clicks from users already overloaded with information. 

  1. Sharing without consent

I also have some reservations about the two new proposed paragraphs 7(3)(d.1) and (d.2) that would allow an organization to disclose personal information to another organization without consent in certain circumstances, although I understand, in some situations, the necessity for this proposal.

A few files have landed on my desk over the last few years in which this type of provision would have come handy. One case which ended up in federal Court in 2010 worth noting is Stevens v. SNF Maritime Metal Inc. This case was the story of SNF, a company purchasing scrap metal from a company. After that company’s employee, Mr. Stevens, opens a personal account with SNF and he starts selling a high volume of scrap metal, SNF discloses this fact to his employer that already suspects that someone is stealing scrap metal. The company realizes that its employee was indeed stealing from them, they fire him, and the employee then sues SNF for a breach of his privacy. Although SNF was probably right to disclose this information to its client, it was nonetheless a technical breach of PIPEDA, since they had disclosed personal information about Stevens, the fraudulent employee, without his prior consent.

Bottom line, I agree that we need to have a provision authorizing a disclosure of personal information without consent to address these types of situations. Still, given the way the proposed provision is drafted, I am concerned that the amendments could lead to excessive disclosures, used for broad purposes justified under the under the “investigation a breach of an agreement” provision or the “purposes of detecting fraud” provision. These disclosures would further be invisible both to the individuals concerned and to the Office of the Privacy Commissioner.

If we can find a way to minimize the risk of over disclosing, while including a provision under which companies disclosing in such situations would have to be transparent about these disclosures, I would offer my support to this type of amendment.

Thank you, and I welcome questions.

 

This content has been updated on March 29, 2015 at 10 h 28 min.