From: Pierre-Luc Simard Sent: November 8, 2017 1:59 PM To: BANKING Subject: Letter from the Office of the Privacy Commissioner of Canada to the BANC Committee / Lettre du Commissariat à la protection de la vie privée du Canada au Comité BANC

Le français suivra

Honorable Senators:

On behalf of Mr. Daniel Therrien, Privacy Commissioner of Canada, the Office of the Privacy Commissioner wishes to submit to the Committee’s attention four briefs and two clarifications stemming from our November 2nd appearance on the issues and concerns pertaining to cyber security and cyber fraud. The documents are attached to this email and available in both official languages.

Pertaining to the question made by Senator Black about the national cybersecurity strategy, the first brief provides the Office’s comments shared with the National Cyber Security Directorate of Public Safety Canada in the context of a call for submissions for their 2016 consultation on security and prosperity in the Digital Age.

With regard to the remaining three briefs, the first paper sets out the Office’s recommendations on the mandatory breach reporting requirement made during the TRCM Committee study of Bill S-4, An Act to Amend the Personal Information Protection and Electronic Documents Act and tomake a consequential amendment to another Act. The second and third documents respectivelycontain our comments shared with Innovation, Science and Economic Development Canada in2016 on the elements of PIPEDA data breach reporting and notification requirementscontemplated under regulations; and then, a year later, on the data breach regulations publishedin Part 1 of the Canada Gazette. The issue of mandatory breach reporting requirements has beenraised by Senator Day during the round of questions.

Finally, we would like to bring to the Honourable Senators’ attention the following clarifications regarding two answers provided during our testimonies:

• When Senator Moncion questioned the Commissioner about the financial institutions’ role inprotecting and disclosing Canadians’ personal information in the course of a police investigation,Ms. Kosseim referred the Committee to a decision made by the Court of Appeal of Québec (page20 of the unrevised evidence). In fact, that decision has been made by the Court of Appeal forOntario;

• When Senator Ringuette asked Mr. Homan about the number of overall complaints received byour Office under PIPEDA (also at page 20 of the unrevised evidence), he answered 150complaints. The exact figure, as reported in our Annual Report, is actually 325.

I hope that you will find the contents of this communication of interest and wish to thank the Honourable Senators for their ongoing support in protecting the privacy rights of Canadians.

1

Regards, Pierre-Luc Simard Agent des affaires parlementaires | Parliamentary Affairs Officer Direction des services juridiques, des politiques et des affaires parlementaires | Legal Services, Policy and Parliamentary Affairs Branch Commissariat à la protection de la vie privée du Canada | Office of the Privacy Commissioner of Canada

* * * * * Honorables sénateurs, De la part de M. Daniel Therrien, commissaire à la protection de la vie privée du Canada, le Commissariat à la protection de la vie privée du Canada souhaite soumettre à l’attention du Comité quatre soumissions ainsi que deux clarifications suivant notre comparution du 2 novembre dernier touchant les questions et préoccupations relatives à la cybersécurité et à la cyberfraude. Les documents se trouvent en pièce jointe à ce courriel et sont disponibles dans les deux langues officielles. Suivant la question soumise par le sénateur Black concernant la stratégie nationale de cybersécurité, le premier mémoire fournit les observations du Commissariat qui ont été partagées avec la Direction de la cybersécurité nationale de Sécurité publique Canada dans le cadre de l'appel de propositions pour leur consultation de2016 sur la sécurité et la prospérité dans l'ère numérique. En ce qui a trait aux trois autres mémoires, le premier énumère les recommandations du Commissariat concernant les exigences relatives à la déclaration obligatoire des atteintes à la vie privée émises lors de l’étude du Comité TRCM sur le projet de loi S-4, Loi modifiant Ia Loi sur Ia protection des renseignements personnels et les documents électroniques et une autre loi en conséquence. Le deuxième et troisième documents contiennent respectivement nos commentaires envoyés à Innovation, Sciences et Développement économique Canada en 2016 concernant certains éléments des exigences de notification et de déclaration des atteintes à la protection des données imposées par la LPRPDE prévus par le règlement; puis, un an plus tard, sur les atteintes à la protection des données publiées dans la partie 1 de la Gazette du Canada. L’enjeu des exigences relatives à la déclaration obligatoire des atteintes à la vie privée a été soulevé par le sénateur Day durant la ronde de questions. Finalement, nous aimerions porter à l’attention des honorables sénateurs les clarifications suivantes au sujet de deux réponses données lors de nos témoignages :

• Lorsque la sénatrice Moncion a questionné le commissaire concernant le rôle des institutions financières dans la protection et la divulgation des renseignements personnels des Canadiens lors d’une enquête policière, Mme Kosseim a référé le Comité à une décision émise par la Cour

2

d'appel du Québec (page 20 de la transcription non révisée). En fait, cette décision a été rendue par la Cour d’appel de l’Ontario;

• Lorsque la sénatrice Ringuette a demandé à M. Homan le nombre total de plaintes reçues par le

Commissariat en vertu de la LPRPDE (aussi à la page 20 de la transcription non révisée), celui-ci a répondu 150 plaintes. Le chiffre exact, tel que rapporté dans notre rapport annuel, est en réalité 325.

J’espère que vous apprécierez le contenu de cette communication et remercie les honorables sénateurs pour leur appui continu envers le droit des Canadiennes et des Canadiens à la vie privée. Bien à vous, Pierre-Luc Simard Agent des affaires parlementaires | Parliamentary Affairs Officer Direction des services juridiques, des politiques et des affaires parlementaires | Legal Services, Policy and Parliamentary Affairs Branch Commissariat à la protection de la vie privée du Canada | Office of the Privacy Commissioner of Canada

3

Gatineau (Quebec) Kl A 1H3 Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www .priv.gc.ca

Commissaire a la protection

de la vie privee du Canada

Privacy Commissioner of Canada

OCT 1 3 2016

National Cyber Security Directorate Public Safety Canada 13th Floor, 340 Laurier Avenue West Ottawa, Ontario KIP 5K3 ps.cyberconsultation -consultationcyber.sp@canada.ca

Subject: Submission on Cyber Security

Dear Sir/Madam:

We would like to take this opportunity to provide comment on the privacy implications of Canada's approach to Cyber Security as articulated in your department's Call for Submissions on August 16, 2016, for your consultation on Secmity and Prosperity in the Digital Age.

By way of background, the mandate of the Office of the Privacy Commissioner of Canada

(OPC) is to oversee compliance with both the Privacy Act, which covers the personal infonnation-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private- sector privacy law, along with some aspects of Canada's anti-spam law (CASL). The OPC's mission is to protect and promote privacy rights of individuals.

Context

Privacy and cyber-security are very much interconnected. On one hand, challenges for

cyber security are also challenges for privacy protection. Just as organizations must stay abreast of the latest cyber threats in order to protect their IT systems, so too must privacy officers if they are to adequately safeguard the personal infonnation entrusted to them by their clients, customers and employees. On the other hand, cyber-security policy can also threaten privacy. Sometimes strategies put in place to combat cyber threats have the unintended consequence of infringing on people's privacy. There is a risk that cyber security strategies and activities result in surveillance regimes for unlimited and unending monitoring and analysis of the personal information of individuals.

In 2014, the OPC produced a research report which examines the common interests and

tensions between privacy and cyber security. It explores how challenges for cyber security are

.. ./2

30, rue Victoria, l er etage I 30 Victoria Street, 1st Floor

4

- 2 -

30, rue Victoria, 1er etage I 30 Victoria Street, 1st Floor Gatineau (Quebec) KlA 1H3

Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819 -994-5424 www.pr iv.gc.ca

also challenges for privacy and data protection , considers how cyber security policy can affect privacy, and notes how cyberspace governance and security is a global issue. Finally, it sets out key policy directions with a view to building privacy values into cyber security policy directi n, encouraging legislative approaches that incentivize cyber security preparedness, generating dialogue on cyber security as an important element of online privacy protection. 1 The government's consultation paper is a good step in the direction of encouraging such a dialogue.

We strongly urge the government to review our paper for a broader overview of the

privacy implications. What follows below are comments (and links to relevant materials prepared by the OPC) in response to specific questions found in the consultation paper.

TREND #1: EVOLUTION OF THE CYBER THREAT

Theme 1.1: Addressing Cybercrime - Law Enforcement, public and private sector protections

When addressing cybercrime, law enforcement needs to be mindful of the implications of

their activities on Canadians' privacy. Privacy Impact Assessments (PIAs) are an important privacy risk reduction exercise and planning tool, and are required in certain circumstances under federal government policy. The PIA process helps detennine whether government initiatives involving the use of personal information raise privacy risks; measures, describes and quantifies these risks; and proposes solutions to eliminate privacy risks or mitigate them to an acceptable level. Whether it is law enforcement addressing the growing challenges posed by cybercrime, or government institutions that hold large amounts of citizen and employee personal information , conducting PIAs will help ensure compliance with the Privacy Act, provide transparency to Canadians about how their personal information is treated by government, and ensure accountability for the use of personal inform ation. For more information on PIAs, please refer to:

• Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the

Privacy Commissioner of Canada, 2011;2 • Top Ten Dos and Don 'ts for Privacy Impact Assessments, 2016.3

Under Canada ' s private sector privacy laws, organizations are accountable for protecting

the personal information under their control. They are responsible for identifying privacy-related obligations and risks and appropriately addressing them in developing their business models and related technologies and business practices and safeguards before they launch new products or services. They also need to minimize risks to their organization and to their employees and

.. ./3

1 htt ps:// www.pr iv.gc.ca/en/o pc-act io ns-and-decis io ns/ resear ch/exp lo re - privacy-research/ 2014/cs 201412/ 2 https ://www .priv.g c.ca/e n/ privacy-top ics/ privacy- impact-assessments/gd exp 201103/ 3 http s:// www. priv.gc.ca/e n/ pr iva cy-top ics/ privacy - impact-assessme nts/02 05 d 59 pia/

5

- 3 -

30, rue Victoria, 1er etage I 30 Victoria Street, 1st Floor Gatineau (Quebec) KlA 1H3

Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819 -994-5424 www.pr iv.gc.ca

customers, as well as mitigate the effects of any privacy breaches. They do this by having an evergreen privacy management program that encompasses these considerations on an ongoing basis.

The OPC has produced a number of publications aimed at helping organizations meet

their accountability and security requirements as well as addressing specific privacy and security threats, including:

• Getting Accountability Right with a Privacy Manag ement Program;4 • Security Self-Assessment Too/;5 • Ten Tips for Reducing the Likelihood of a Privacy Breach, 2014;6 • Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization? ,

2015'·7 an,d·

• Electronic and digital payments and privacy.8

An important development in Canada's cyber security efforts was the passage in 2014 of Canada's anti-spam legislation (CASL), which helps to protect Canadians' personal information online. The OPC shares enforcement responsibilities for CASL with the CRTC and the Competition Bureau. Our role focuses on two types of violations:

• the harvesting of electronic addresses, in which bulk lists of email addresses are compiled

through mechanisms that include the use of computer programs to automatically mine the Internet for addresses, and;

• the collection of personal information through illicit access to other people's computer systems, primarily through means such as spyware.

The OPC' s spam-related public resources include :

• Internet threats associat ed with spam, 2011;9 • A detailed guide for businesses doing e-marketing, 2015;10 and; • Helpfitl tips for businesses doing e-marketing, 2015. 11

. . ./ 4

4 https:/ / www.priv .gc.ca/en/privacy -topics/ privacy- laws-in -canada/ the -perso nal-information-prote ct ion -a nd-electronic-documents-act- pipeda/pipeda-compliance-help/gl ace 201204/ 5 htt ps:// serv ices.priv.gc.ca/ reso urce/ too1- ou ti I/securi ty-securite/engIish/Assess Risks.asp?x=1 6 htt ps:/ / www.priv.gc.ca/ en/ privacy-topics/privacy -breaches/02 05 d 60 tips/ 7 http s:/ / www.priv.gc.ca/ en/privacy -topics/technology-and -privacy/mobile-device s-an d-apps/gd byod 201508/ 8 http s:/ / www.priv.gc.ca/en/ privacy-topics/technology-and -privacy/02 05 d 68 dp/ 9 http s:/ / www.priv.gc.ca/ en/ privacy-topics/technology -and -privacy/online-privacy/ spa m/ spam 01/ 10 http s:/ / www.priv.gc .ca/en/privacy-topics/privacy-laws-in -cana da/th e-personal -in for mation -prot ection -and-e lectronic-document s-act- pipeda/ legislation -r elat ed-to-pipe da/ canadas-anti -spam-legislat io n/ca sl-comp lian ce-help-for-businesses/casl guide/ 11 htt ps:// www.priv.gc .ca/ en/ privacy- topics/privacy-laws-in-canada/the-personal-in fo rmation-protection- and-elect ronic -d ocuments-act- pipeda/leg islati on-related -to-pipeda/ canadas-anti-spam-legislation/ casl-co mpliance-help -for -busin esses/casl tips org/

6

- 4 -

Gatineau (Quebec) KlA 1H3 Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./ Fax : 819-994-5424 www.priv.gc.ca

The OPC recently completed its first investigation under CASL against an entity called Compu-Finder.12 The company did not have in place a privacy management program, which meant that they could not demonstrate that they had consent for the use of email addresses. They have since agreed to put such a program in place.

Putting in place safeguards to protect personal information against illegal activity such as

malware and other types of fraud is not only a legislated requirement but also essential to preserving trust in Canada's digital economy. Canada's future economic growth depends on innovation and on having strong privacy and security frameworks in place to support citizens and organizations.

The Privacy Act, unlike PIPEDA, does not contain any requirements on government

institutions to safeguard the personal information under their control. The OPC has made recommendations to Parliament to address this issue (among others) with a view to encourage the refonn and modernization of the Act to address the evolution in technology and its use since the Act came into force in 1983.13

Theme 1.2: Policing in Cyberspace

As far as public expectations go, regarding privacy and police investigations of internet

activity, both polls and Courts in Canada have been very clear. They assert that privacy rights and freedoms protected by the Charter, what we enjoy as citizens in our daily offline lives, should carry over online. The Supreme Court of Canada made this clear in the 2014 case R. v. Spencer. In terms of police powers specifically, the investigative tools used online should carry the same safeguards, authorization thresholds, burdens of proof and minimization requirements as would their equivalents in offline search and seizure. The SCC in Spencer and other previous rulings have been quite consistent in this regard; as a society, we do not compromise protection of fundamental rights to make policing more convenient or expedite prosecution.

In March 2015, police were provided a suite of new tools under the Protecting Canadians

from Online Crime Act (PCOCA). These included, among others, powers to trace electronic communications, track digital transactions, and order preservation of online evidence. It is incumbent upon government institutions to demonstrate the evidence of a serious issue and to explain how it would set about overcoming that investigative hurdle. On a final note, we think there are connections between the issues raised in this consultation paper and in the consultation on national security , launched shortly after this one. We will be providing further comments on law enforcement and national security agencies' activities in the context of that consultation. We will be making our comments public.

. . ./5

12 htt ps:// www.pr iv.g c.ca/e n/o pc-act io ns-a nd-dec isi ons/ invest igat io ns/ investi gat ions- into - bus inesses/ 2016/ pipeda - 2016 -003/ 13 htt ps:/ /www . priv.gc.ca/e n/o pc-act ions-and-dec isi ons/adv ice-to-par liame nt/ 2016/ pa rl sub 160322/

30, rue Victoria , 1er etage I 30 Victoria Street, 1st Floor

7

- 5 -

Gatineau (Quebec) KlA 1H3 Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./ Fax : 819-994-5424 www.priv.gc.ca

Theme 1.3 Protecting Against Advanced Cyber Threats

In an enviromnent where cyber attacks are a daily occurrence, one cannot overstate the importance of a comprehensive, overarching security framework to protect against unauthorized breaches of personal information. A recent investigation 14 by the OPC into a privacy breach of the adult dating website Ashley Madison revealed how crucial it is for organizations that hold personal infonnation electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise (internal or external). This is especially the case where the personal infonnation held includes information of a sensitive nature that, if compromised, could cause significant reputational or other harms to the individuals affected. The OPC has reminded organizations holding sensitive personal information or a significant amount of personal information to have infonnation security measures in place, including:

• a security policy; • an explicit risk management process that addresses information security matters, drawing

on adequate expertise; and; • adequate privacy and security training for all staff.

Mandatory data breach notification laws are an effective way of strengthening

organizations' accountability for protecting the personal information in their control and ensuring that adequate safeguards are in place. According to the 2016 CIGI- Ipsos Global Survey on Internet Security and Trust,15 18 % of Canadians have been notified of a privacy breach. To date, the approach to data breach notification in Canada has not been consistent. Organizations are required to report breaches of health information in several provinces, including Ontario, New Brunswick and Newfoundland and Labrador. Private sector organizations are subject to mandatory breach notification under Alberta's Personal Information Protection Act and will be under the federal PIPEDA.16 Federal institutions subject to the Privacy Act are required under federal government policy to notify the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board of Canada Secretariat of all material privacy breaches and of the mitigation measures being implemented. The OPC has recommended that breach reporting be made a legal requirement under the Privacy Act.17

Security is enhanced through mandatory breach notification as a picture emerges of security practices more broadly and allows for systemic issues to be identified and addressed .

.../6

14 https:/ / www.priv.gc.ca/en/ opc-actions-and -decisions/ investigation s/inv esti gations-i nto -businesses/2016/p ipeda- 2016-00 S/ 15 htt ps:/ / www.cigion line.org/ internet-su rvey-2016 16 The mandato ry breach reportin g provisions are not yet in force. 17 http s:/ / www.p riv.gc.ca/ en/ ope-actions-a nd-decisions/a dvice-to -parliament / 2016/ parl sub 160322/

30, rue Victoria , 1er etage I 30 Victoria Street, 1st Floor

8

- 6 -

30, rue Vict oria, •1r etage I 30 Victoria Street, 1st Floor Gatineau (Quebec) KlA 1H3

Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./ Fax : 819-994-5424 www.priv.gc.ca

There is also a leveling of the playing field for organizations in terms of enforcement. Having all organizations be subject to the same obligations avoids organizations unfairly being singled out when they proactively report breaches.

Theme 1.4: Increasing Public Engagement/Theme 2.1: Strengthening Consumer Confidence in e-Commerce

As part of our mandate to promote public awareness and understanding of privacy issues

and privacy rights, the OPC regularly publishes a variety of educational resources for individuals. We believe that a great defence against a wide range of privacy risks, including unauthorized access to personal information, is individuals' knowing their rights and making choices about what personal information to share, with whom, and for what purpose. For example, we have produced on best practices for protecting personal information, including:

• Identity Theft and You, 2014;18 • 10 Tips for preventing identity theft, 2013;19 • Top 10 tips to protect your inbox, computer and mobile device, 2015.20

The OPC also works diligently to educate individuals and organizations on the privacy

implications of new technologies, government initiatives and business practices. In addition to internally produced research reports on topics which include drones21

, and predictive analytics22,

the OPC also funds independent research through the Contributions Program. The goal of the program is to generate new ideas, approaches and knowledge about privacy that organizations can apply to better safeguard personal information and that individual Canadians can use to make more informed decisions about protecting their privacy. Most recently, we funded research reports on such diverse subjects as the connected car23 and the security of fitness trackers.24

The OPC has also issued guidance (mentioned throughout this document) to help

organizations do a better job of protecting personal information that they control. While individuals should take steps to be aware of risks and to protect themselves accordingly, it should not all rest on individuals to protect their p_ersonal information. Organizations must address these issues. Trust in the digital economy depends on it.

... /7

18 https :/ / www.priv.gc.ca/en/ privacy -topi cs/identity -and-privacy/identity-the ft / guide idt/ 19 htt ps:// www.priv.gc.ca/ en/ privacy -topics/identity-and-privacy /i dentity -th eft /idt info 201303/ 20 http s:/ / www.priv.gc.ca/en/ privacy-topics/ tech nology-and-privacy/online-privacy/ spam/ casl tips ind/ 21 http s: // www.priv.gc.ca/ en/ opc-actions-and-decis io ns/ researc h/e xplore-pr ivacy-research/ 2013/drone s 201303/ 22 htt ps:/ / www .priv.gc.ca/en/opc -actions-and-decisions/ research/e xplo re-pri vacy-research/ 2012/pa 201208/ 23 htt ps:/ / www.priv.gc .ca/ en/opc -actions-and-decisions/resea rch/ funding- for -privacy-research-and-know ledge-translation/completed - contribut ions-p rogram-pro jects/ 2014-2015/p 201415 06/ 24 https:/ / www.priv.gc.ca/ en/op c-actions-an d-decisions/res earch/ fund ing-for-privacy-re search-and-kno wledge-tran slat ion/ co mpleted- contribution s-prog ram -pro jects/ 2015-2016/p 201516 06/

9

- 7 -

30, rue Victoria, 1• ' etage I 30 Victoria Street, 1st Floor Gatineau (Quebec) KlA 1H3

Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./ Fax : 819-994-5424 www.priv.gc.ca

Conclusion

There is a growing need for cybersecu rity and data protection collaboration in an increasingly borderless world. Your renewed approach to cyber security draws attention to the need for promotion and protection of freedoms online and the need for collaboration and coordination ac ross jurisdictions. Against that backdrop, it is imperative that cyber security specialists and privacy protection authorities like the OPC, work even more closel y together to improve defences in the public and private sectors, and ensure privacy protection is a guiding principle in cyber security efforts.25 We welcome the opportunity to contribute to this dialogue.

Sincerely,

Daniel Therrien Commissioner

25 httos:/ /www.oriv.gc.ca/en/o pc-news/soeeches/20 13/so-d 20131023/

10

Sans frais/ Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www.priv.gc.ca

• Com missa ire a la protection

de la vie privee du Canada •

Privacy Commissioner of Canada

JUN - 4 2014

The Honourable Dennis Dawson, Senator Chair, Senate Committee on Transport and Communications (TRCM) The Senate of Canada Ottawa, Ontario K1A OA4

Dear Mr. Chair:

Please find enclosed a copy of the Office of the Privacy Commissioner of

Canada's submission on Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act.

We believe that, on the whole, Bill S-4 will strengthen privacy protections for

Canadians and build consumer trust in the digital economy. We look forward to appearing before your Committee and answering any questions you may have.

-....J J:1e·1r·a Kosseim Senior General Counsel and Director General, Office of the Privacy Commissioner of Canada

cc: Daniel Charbonneau, TRCM Committee Clerk

30, rue Victoria, 1er etage I 30 Victoria Street, 1st Floor Gatineau {Quebec) KlA 1H3

11

Commissaire a la protection

de la vie privEle du Canada Privacy Commissioner of Canada

Submission of the Office of the Privacy Commissioner of Canada to the Senate Standing Committee on Transport and Communications on Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act

INTRODUCTION

The Personal Information Protection and Electronic Documents Act (PIPEDA) received Royal Assent on April 13, 2000

and it came into force in stages, beginning on January 1, 2001. PIPEDA came fully into force on January 1, 2004.

PIPEDA applies to organizations that collect, use or disclose personal information in the course of commercial activities. It also applies to the collection, use and disclosure of personal information pertaining to the employees of federal works, undertakings and businesses (FWUBs) - banks, airlines, telecommunications and broadcasting companies and other federally regulated industries.

The Purpose of PIPEDA as set out in section 3 is:

to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

THE PARLIAMENTARY REVIEW

PIPEDA contains a provision requiring a Parliamentary Review every five years following the coming into force. The

purpose of the Review is to ensure that the legislation is operating as it should, with the desired effects.

The House of Commons Standing Committee on Access to Information, Privacy and Ethics (the Standing Committee) commenced a review in 2006 and issued its Report in May 2007 after hearing from more than 60 witnesses and receiving more than 30 submissions. The Review provided interested stakeholders with an opportunity to raise issues and identify possible changes to the Act to ensure that the broad policy objectives would continue to be met.

Bill S-4, the Digital Privacy Act, is the third Bill that has been introduced to update PIPEDA Bill C-29, An Act to amend

the Personal Information Protection and Electronic Documents Act (Safeguarding Canadians' Personal Information Act) was introduced on May 25, 2010. Bill C-12, which was essentially identical to Bill C-29, was introduced on September 29, 2011. Both C-29 and C-12 died with prorogation. While S-4 contains some of the provisions in the previous Bills, it contains new provisions and it does not include some of amendments proposed in C-29 and C-12.

COMMENTS ON SPECIFIC PROVISIONS IN S-4

Bill S-4 amends many provisions in PlPEDA On the whole, the proposed amendments will strengthen the privacy rights

of Canadians with respect to their interactions with private sector companies, improve accountability and provide incentives for organizations to comply with the law. In particular, we welcome proposals to introduce a mandatory breach notification regime, and the compliance agreement provisions that will make it easier for our Office to ensure that companies meet the commitments they have made during investigations.

.../2

30, rue Victoria 1 1er €tage I 30 Victoria Street, ist Floor Gatineau (Quebec) l(lA 1H3

Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec,/Fax: 819-994-5424 www.priv.gc.ca

12

-2-

Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www.priv.gc.ca

In general, we also support other proposed amendments that address problems or gaps that have become apparent during the more than thirteen years that PIPEDA has been in force. We will however raise some questions about the proposals to allow organizations to more easily disclose personal information to other organizations without consent and we will suggest improving an existing provision in PIPEDA (paragraph 7(3)(c.1)) not addressed in S-4.

Breach Notification

S-4 adds three new sections to PIPEDA: 10.1, 10.2 and 10.3, dealing with "Breaches of Security Safeguards". An

organization that has experienced a breach of security safeguards involving personal information under its control will be required to provide notification in three circumstances:

• to the Privacy Commissioner "if it is reasonable in the circumstances to believe that the breach creates a real risk of

significant harm to an individual"; • to the individuals whose personal information is involved "if it is reasonable in the circumstances to believe that the

breach creates a real risk of significant harm to the individual"; and • to other organizations or government institutions if the notifying organization believes that the other organization or the

government institution may be able to reduce the risk of harm that could result from the data breach or mitigate that harm.

The definitions section defines a breach of security safeguards as "the loss of, unauthorized access to or unauthorized

disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards."

We strongly support these provisions. During the last few years we have seen a number of high profile data breaches

both in Canada and abroad that compromised the personal information of Canadians. These provisions will create an incentive for organizations to take information security more seriously. In addition, they will provide individuals with information that will help them mitigate the risks resulting from the loss or unauthorized access of their personal information.

Implementing mandatory breach notification provisions will bring PIPEDA into line with many other jurisdictions:

• Alberta's Personal Information Protection Act (PIPA) and some provincial personal health information protection acts

contain mandatory breach notification; • Almost every state in the United States has legislation making notification of individuals mandatory in certain

circumstances; and • The recently revised OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data

contain a breach notification recommendation.

S-4 proposes a risk-based approach that will require organizations themselves to assess each incident on a case-by- case basis to determine the seriousness of the incident and its potential impact on the affected individuals. We support a risk- based approach. Furthermore, we believe that the organization experiencing the breach is in the best position to assess the risks to decide whether notification is warranted.

.../3

30, rue Victoria, rr etage I 30 Victoria Street, 1st Floor Gatineau (Quebec) KlA 1H3

13

-3-

Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www.priv.gc.ca

As for the threshold for notification, we believe it would be counterproductive to require organizations to notify individuals of all breaches. Similarly, we do not think it would be practical or efficient to require organizations to notify our Office of all breaches.

S-4 will re uire organizations to keep and maintain a record of every breach and provide our Office with a copy of this

record on request. Requiring organizations to keep a record of all breaches, including ones where a decision has been made not to notify is critically important. It will allow our Office to evaluate compliance with the notification provisions and assess how organizations are making the determination whether to notify.

S-4 contains related amendments to subsections 11(1) and 14(1) to allow for complaints and potential court review

concerning a failure to comply with the breach notification provisions. These are important provisions that will provide redress for individuals who are affected by data breaches.

Compliance Agreements and Timelines for Federal Court Applications

A new section 17.1 will allow the Commissioner to enter into compliance agreements with organizations if the

Commissioner "believes on reasonable grounds that an organization has committed, is about to commit or is likely to commit an act or omission" that could constitute a contravention of the Act or a failure to follow a recommendation set out in Schedule 1. The agreement may contain any terms that the Commissioner considers necessary to ensure compliance with the Act. If the Commissioner determines that the organization is not complying with the terms of the compliance agreement, the Commissioner must notify the organization and may apply to the Court for

(a) an order requiring the organization to comply with the terms of the agreement, in addition to any other remedies it may give; or (b) a hearing under subsection 14(1) or paragraph 15(a) or to reinstate any suspended court proceedings.

At present, the Commissioner may seek resolution of a complaint to our Office through negotiation, persuasion and

mediation. The Commissioner has no direct enforcement powers. She and/or the complainant have to apply to the Federal Court to seek an order requiring the respondent to take action to correct its practices or award damages to the complainant. In either case, the hearing will be a de novo litigation proceeding which requires considerable resources, and the application must be made within 45 days after a report has been issued unless special leave is obtained from the Court to file an application beyond this timeframe.

As the issues that we are addressing in investigations have become more complex, organizations sometimes require

several months to implement our recommendations. If an organization fails to live up to its commitment to implement a recommendation within 45 days of the completion of our report, our ability to go to Court past this statutory deadline is uncertain. This can leave us little choice other than to initiate a court action prematurely, only to have to suspend it as negotiations pursue; or to initiate a new investigation so as to press the reset button on the 45-day deadline. Either way, this is not an efficient use of time or resources.

Giving us the authority to enter into voluntary compliance agreements formalizes what we have been trying to do in

practice - effectively resolve issues to enhance the privacy of Canadians.

.../4

1 The Bill gives the Governor in Council the authority to make regulations to specify the information to be maintained in a record.

30, rue Victoria, 1er 8tage I 30 Victoria Street, 1st Floor Gatineau (Quebec) l(lA 1H3

14

-4-

Gatineau (Quebec) l<lA 1H3 Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www.priv.gc.ca

We strongly support these provisions. They will:

• make it easier for our Office to ensure that companies carry through on commitments they have made during investigations;

• provide an incentive for organizations to enter into an agreement and to honour their commitments; • provide a recourse mechanism for our Office should organizations fail to live up to an agreement; and • give all parties more flexibility to reach resolution of complex issues within a more realistic and reasonable timeframe as

an alternative to immediate litigation.

Broadening Public Interest Disclosures

Bill S-4 will clarify the scope of the confidential information that the Commissioner can disclose when he or she considers it is in the public interest to do so. The proposed amendment will allow disclosure of "any information that comes to his or her knowledge in the performance or exercise of any of his or her duties or powers." At present, subsection 20(2) of PIPEDA refers only to "information relating to the personal information management practices of an organization". This will broaden the Commissioner's ability to disclose more meaningful information in the public interest.

Clarification of Requirements for Valid Consent

The new section 6.1 being proposed states "the consent of an individual is only valid if it is reasonable to expect that the

individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting."

PIPEDA already requires "knowledge and consent". Principle 4.3.2 requires that "To make the consent meaningful, the

purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed."

We think this is an important and valuable amendment that will clarify PIPEDA's consent requirements. By requiring

organizations to make a greater effort to explain why they are collecting personal information and how it will be used, this proposed amendment should help make consent more meaningful for all individuals, particul'arly for young people for whom the digital world is an integral part of their daily lives.

Employee Information

S-4 contains four sets of amendments dealing with employee information:

Applicant Information

At present PIPEDA applies to the personal information of employees of federal works, undertakings or businesses

(FWUBs). S-4 proposes to expand the application of the Act to the personal information of "an applicant for employment with" a FWUB. We support this change. Clarifying that PIPEDA applies to prospective employees of FWUBs fills a gap in the protection of "employee" information.

.../5

30, rue Victoria, 1er etage I 30 Victoria Street, 1st Floor

15

-5-

Gatineau (Quebec) l<lA 1H3 Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www.priv.gc.ca

Collection, Use or Disclosure of Employee Information without Consent

A new section (7.3) is being added to allow FWUBs to collect, use or disclose without consent personal information "necessary to establish, manage or terminate an employment relationship."

Obtaining meaningful consent in a workplace environment is very challenging given the uneven bargaining power

between employer and employee. Artificially requiring consent in situations where it cannot be freely given or withheld risks watering down the value and meaning of consent more generally.

Although the requirement to obtain consent will be removed, a number of important protections will exist. First of all, the

FWUB will have to inform the individuals that their personal information will be or may be collected, used or disclosed for the specified purposes. Secondly, the new section limits the collection, use and disclosure to that "necessary" for these purposes. The term "necessary" in the new section is critical because of the new ways that organizations can collect information about employees and prospective employees, for example, through Internet searches and from social networks.

Finally, subsection 5(3) will continue to apply. this states that an organization may collect, use or disclose personal

information "only for purposes that a reasonable person would consider appropriate in the circumstances." This would allow us, for example, to investigate a complaint about an employer that may be inappropriately collecting personal information about an employees, or prospective employees, from social networking sites.

Work Product Information

S-4 contains three amendments allowing the collection, use or disclosure, without consent, of information "produced by

the individual in the course of their employment, business or profession." This information is typically referred to as "work product" although the term is not used in S-4.

Our Office has consistently opposed excluding or carving out work product from the definition of personal information on

the grounds that doing so could result in intrusive workplace monitoring and other unintended or unanticipated consequences, since this information would no longer be protected by PIPEDA at all. We prefer instead to deal with work product issues under PIPEDA on a case-by-case basis that allows us to determine the true nature of the information in a given context.

We are pleased that S-4 does not categorically exclude work product from the definition of personal information. The

Bill proposes to remove the requirement to obtain consent but other protections would remain such as the collection limitation principle, the requirement to safeguard the information and the right of access and correction.

As well, we are pleased that the consent exemption for work product information would only apply if the collection, use

or disclosure was "consistent with the purposes for which it was produced." This is an important limitation which we support. We can accept these amendments provided that S-4 does not exclude work product information from the definition of personal information and that the collection, use or disclosure of this information is limited to consistent purposes.

Business Contact Information

The existing definition of "personal information" in PIPEDA excludes the "name, title or business address or telephone

number of an employee of an organization". This means that this information is not subject to PIPEDA.

.. ./6

301 rue Victoria, 1er E!tage I 30 Victoria Street, 1st Floor

16

-6-

Gatineau (Quebec) KlA 1H3 Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www.priv.gc.ca

S-4 proposes to remove the reference to this business contact information from the definition of personal information and add a new definition of business contact information defined as "an individual's name, position name or title, work address, work telephone number, work facsimile number, work electronic mail address and any similar information about the individual."

In addition, section 4 of PIPEDA dealing with the Application of the Act will be amended to state that the Act does not

apply to business contact information provided it is collected, used or disclosed "solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession."

This means that an organization could use an employee's or a professional's telephone number or e-mail address to

contact him or her about the services offered by the business without engaging PIPEDA. However, if the organization used the telephone number or e-mail address in an attempt to sell an unrelated product or service, the organization would be required to comply with Pl PEDA.

These proposed amendments make sense. Communicating by e-mail has become routine in the 13 years since Pl PEDA

came into force. The qualification at the end provides additional protection for all business contact information. This strikes the right balance.

Disclosures without Consent

Communicating with the Next of Kin

At present, paragraph 7(3)(c.1) allows organizations subject to PIPEDA to disclose information, without consent, to a

government institution, or part of a government institution that has requested the information and identified "its lawful authority" in three situations.

S-4 adds a situation in which an organization can disclose without consent under 7(3)(c.1):

"for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual."

This proposed amendment would, for example, allow a telecommunications company to disclose to a law enforcement agency an unlisted telephone number needed to contact the next of kin or it would allow an air carrier to release the names and contact information of passengers involved in an accident. The British Columbia and Alberta private sector acts have similar provisions.

Identification of Injured, Ill or Deceased Persons

A new paragraph 7(3)(d.4) is being proposed to allow an organization to disclose information to a government institution

or part of a government institution or the individual's next of kin or authorized representative to identify an individual who is injured, ill or deceased. If the individual is alive, the organization has to inform the individual in writing of the disclosure.

This provision is designed to deal with what should be relatively rare situations where a law enforcement agency or

other government body needs the personal information to confirm identity.

The two proposed amendments discussed above add new grounds for disclosing personal information without consent for compassionate or humanitarian purposes. We support these provisions; we believe there is little risk of abuse; and do not anticipate that they will be used frequently.

...7

30, rue Victoria, 1er etage I 30 Victoria Street, 1st Floor

17

-?-

Gatineau (Quebec) l<lA 1H3 Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www.priv.gc.ca

Financial Abuse

A new paragraph 7(3)(d.3) is being proposed to allow an organization on its own initiative to disclose information to a government institution or part of a government institution or the individual's next of kin or authorized representative, if "the organization has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse" and the disclosure is made solely for the purpose of investigating or preventing the abuse. In addition, the organization has to reasonably expect that disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse.

The banking industry has been calling for this provision to deal with the financial abuse of seniors although it is not

limited to seniors. We understand the rationale for the proposed amendment; however, we would urge the Committee to consult with financial institutions, seniors' organizations and other stakeholders on the ground to get a real sense of the scope or severity of the problem this provision is intended to address. Ultimately, the challenge will be to weigh the need to protect persons in vulnerable situations from real risk of financial abuse with the need to respect their privacy and dignity.

Disclosures without Consent to another Organization (Replacing the Investigative Body Scheme)

PIPEDA provides - in paragraphs 7(3)(d) - that an organization can disclose personal information, without the

knowledge or consent of the individual, to an investigative body when there are "reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed."

The Act does not define the term "investigative body". The Act allows the Governor in Council under paragraph

26(1)(a.01) to designate investigative bodies. There are currently approximately 75 investigative bodies. Each application is confirmed by regulation which is resource intensive and time-consuming.

The Standing Committee recommended that PIPEDA be amended to replace the process of designating investigative

bodies with a definition of investigation similar to that found in the Alberta and British Columbia Personal Information Protection Acts.

Bill S-4 proposes to eliminate the investigative body regime. In its stead, two new paragraphs 7(3)(d.1) and 7(3)(d.2) will

be added to allow an organization to disclose personal information without consent to another organization if:

• it is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation; or

• is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud.

../8

30,rue Victoria, ier €tage I 30 Victoria Street, pt Floor

18

-8-

30, rue Victoria, 1er etage I 30 Victoria Street, 1st Floor Gatineau (Quebec) KlA 1H3

Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www.priv.gc.ca

These discretionary amendments would roughly align PIPEDA with the British Columbia and Alberta laws that do not have an investigative body regime. The BC and Alberta laws define "investigation" and "proceeding"' and allow the collection, use or disclosure of personal information without consent if it is reasonable for these purposes.

While we understand the challenges created by the existing investigative body regime, we have some reservations

about the proposed amendments. First, we believe that the grounds for disclosing to another organization are overly broad and need to be circumscribed, for example, by defining or limiting the types of activities for which the personal information could be used. The proposed 7(3)(d.2) would allow disclosures without consent to another organization to "prevent fraud". Allowing such disclosures to prevent potential fraud may open the door to widespread disclosures and routine sharing of personal information among organizations on the grounds that this information might be useful to prevent future fraud. For example, this could lead to the creation of black lists based merely on suspicion. We therefore suggest that the reference to preventing fraud be removed.

The threshold for these disclosures also raises questions. Bill S-4 would allow disclosures that are "reasonable" for the

stated purposes, whereas we recommend the threshold be amended to "necessary", as was the case with predecessor Bills C- 29 and C-12.

Finally, there is the issue of transparency. These disclosures will be invisible to the individuals concerned and to our

Office. In order to provide greater accountability, we recommend that the Committee consider ways to require organizations to be more transparent about the disclosures they would make under this provision.

Furthermore, the decision to disclose should be made on a case-by-case basis and the disclosing organization should

document and conduct appropriate due diligence to ensure such disclosures are reasonable, or necessary if our suggestion is accepted, for the stated purpose and that obtaining consent would compromise this purpose.

Collection, Use and Disclosure of Witness Statements

S-4 contains three separate amendments allowing an organization to collect, use or disclose witness statements without

consent provided it is "necessary to assess, process or settle an insurance claim." (emphasis added). These amendments were added at the request of the insurance industry.

While we understand the insurance industry's position we are not convinced that there is a compelling need for these

amendments. We have not been presented with any information demonstrating that the absence of these provisions has created a problem for the industry. If this amendment is adopted we believe that it is essential to retain the important qualification in S-4 that the collection, use or disclosure be "necessary" for the stated purposes to limit the potential for "fishing expeditions".

Use and Disclosure of Personal Information for "Business Transactions"

There are currently no provisions in PIPEDA that allow the disclosure of personal information without consent for due

diligence purposes in anticipation of the sale or transfer of business assets. Other legislation such as Ontario's Personal Health Information Protection Act (PHIPA) and the Alberta and British Columbia private sector acts contain provisions allowing disclosures subject to stringent confidentiality agreements.

.../9

2 The Alberta Act uses the term "legal proceeding".

19

30, rue Victoria, 1er etage I 30 Victoria Street, 1st Floor Gatineau (Quebec) KlA 1H3

Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www.priv.gc.ca

-9-

Bill S-4 proposes to add a new section 7.2 to allow organizations contemplating a "business transaction" to use and disclose personal information without consent subject to certain conditions and safeguards.

The organizations that are parties to the prospective business transaction can only use and disclose the personal

information if it is necessary to determine whether to proceed with the transaction and to complete the transaction (emphasis added). In addition,

• the organization receiving the personal information has to enter into an agreement to use or disclose the information

only for the specific purpose, to protect the information and to return or destroy the information if the transaction does not proceed;

• if the transaction is completed, the parties have to enter into an agreement to limit the use or disclosure of the information to the purposes for which it was collected, to protect it and to honour any withdrawals of consent; and

• following completion, one of the parties has to notify the affected individuals of the transaction and the disclosure.

Subsection 7.2(4) contains a further limit on the use of these provisions. It states that they do not apply in the case of a business transaction "of which the primary purpose or result of the transaction is the purchase, sale or other acquisition or disposition, or lease, of personal information."

We understand the rationale for these amendments. If these proposed business transactions provisions are adopted,

the accompanying safeguards and limitations are needed to minimize the risk that these new provisions will be abused.

Other Amendments

Section 25 of PIPEDA requires the Commissioner to submit a report to Parliament "as soon as practicable after the end of each calendar year." However, section 38 of the Privacy Act requires the Commissioner to submit an annual report to Parliament "within three months after the termination of each financial year." This means that we have two different reporting periods for PIPEDA and the Privacy Act. As a result, we produce two separate annual reports, which is not an efficient use of resources, particularly since not all issues can be neatly categorized as coming under either PIPEDA or Privacy Act and we frequently end up discussing the same issue in both reports. We are pleased that S-4 proposes to amend Pl PEDA to allow us to report on PlPEDA on a financial year basis.

A Word about Transparency: Disclosures without Consent under Paragraph 7(3)(c.1)

We applaud the provisions in Bill S-4 that will create greater accountability and transparency to organizations' personal

information handling practices. In that same spirit, however, we believe more transparency is required around paragraph 7(3)(c.1) disclosures.

Paragraph 7(3)(c.1) states that an organization may disclose personal information to a government institution or part of a

government institution without the knowledge or consent of the individual if the government institution has requested it; has identified its "lawful authority"; and has indicated one of the following:

i. it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs; ii. the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying

out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law; or

... /10

20

-

Gatineau (Quebec) KlA 1H3 Sans frais/Toll free 1-800-282-1376 Tel./Tel: 819-994-5444 Telec./Fax: 819-994-5424 www.priv.gc.ca

iii. the disclosure is requested for the purpose of administering any law of Canada or a province.

This provision is discretionary; ii does not require the organization to disclose the requested information. Organizations can refuse these requests and many do so when they believe the requesting authority should obtain a court authorized order. However, we know that many organizations do disclose Rersonal information in response to requests from law enforcement and other government agencies with more or less push back.3

PIPEDA does not contain any provisions requiring organizations to report on these disclosures. In our PIPEDA_f§form llfillfil, dated May 2013, we recommended that organizations be required "to publicly report on the number of disclosures they make to law enforcement under paragraph 7(3)(c.1), without knowledge or consent, and without judicial warrant, in order to shed light on the frequency and use of this extraordinary exception." We suggested that organizations should at a minimum be required to keep a record of tombstone data related to such disclosures, and they should be required to post in a publically available fashion, the number of such disclosures that they make on a quarterly basis.

We made a similar recommendation in our January 2014 Special Report to Parliament, "Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance." In fact, many organizations, particularly in the U.S., already report on such disclosures at no apparent disadvantage or detriment to their bottom line.

We would urge the Committee to consider ways to enhance the transparency of these disclosures.

CONCLUSION

Bill S-4 is the result of a Parliamentary Review that took place seven years ago. It reflects a world in which cloud

computing, big data, smart phones and tweeting were not everyday realities. Today, massive amounts of personal information are being collected, analyzed, combined with other data and used in ways that few people can comprehend. These changes threaten to erode the trust on which today's digital economy rests.

Given the huge changes that have taken place in our society and in the global business environment we believe ii is

critical to update PIPEDA to ensure ii is still fit for purpose. When it was introduced, PIPEDA was considered a leader for its technology-neutral, principles-based approach. However, the past decade has seen the emergence of new generation privacy laws that have institutionalized breach notification requirements and given privacy enforced authorities stronger powers - leaving PIPEDA sorely lagging behind.

Canada has long been a leader in privacy. Passing Bill S-4 will help us remain a leader in ensuring the adequate

protection of Canadians' privacy interests and building the trust needed for a vibrant and sustainable digital economy. In particular, the mandatory breach notification requirements and the voluntary compliance agreement provisions in Bill S-4 will make the Act stronger and will help to create the incentives needed to restore some balance in PIPEDA.

We look forward to an eventual review of PIPEDA to ensure that it can meet the challenges posed by the digital age.

3 See the "Response from the independent counsel for the Canadian Wireless Telecommunications Association regarding information requests from government authorities" - http://www.priv.gc.ca/rnedia/nr-c/2014/let 140430 e.Jl.fil2.

30, rue Victoria, rr etage I 30 Victoria Street, 1st Floor

21

1

Discussion document on data breach notification and reporting regulations Submission to Innovation, Science and Economic Development Canada June 10, 2016

M. John Clare Director, Data Protection and Privacy Policy Directorate Innovation, Science and Economic Development 235 Queen Street Ottawa, Ontario K1A 0H5

Dear Mr. Clare:

I am pleased to provide the Office of the Privacy Commissioner of Canada’s (OPC) views on elements of the Personal Information Protection and Electronic Documents Act (PIPEDA) data breach reporting and notification requirements that may be prescribed in regulations.

You will recall that during his appearance before the House of Commons Standing Committee on Industry, Science and Technology (INDU), Privacy Commissioner, Daniel Therrien, expressed support for the new measures, indicating that mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information.

We appreciate the opportunity to provide our views on important regulatory specifications, particularly in light of our oversight function and role in developing guidance for organizations.

To the extent necessary, the Office will develop guidelines on responding to data breaches, to complement parameters set out in regulations and further assist organizations comply with their new responsibilities under PIPEDA.

Real Risk of Significant Harm The analysis that organizations must perform to determine whether a breach of security safeguards involves a real risk of significant harm is at the core of PIPEDA’s new reporting and notification requirements. The OPC recognizes that ISED may wish to provide organizations, particularly small- and medium-sized firms, with more certainty on factors that are relevant in conducting this assessment. However, we note that the factors identified under subsection 10.1(8) of the Act already captures the key elements that organizations would need to consider in making their risk determination. If additional factors become necessary as we gain more

22

2

experience with notifications, OPC guidance could outline these or, if necessary, the regulations could be amended.

To that end, we would suggest that additional assistance to organizations on conducting an assessment of risk can be provided in OPC guidance.

The discussion paper asks if the regulations should specify a presumed “low risk” in data breaches where appropriate encryption has been used. Similarly, comments are requested on how an appropriate level of protection should be defined. The OPC would take the position that appropriate use of encryption can indeed form part of a broader range of considerations when evaluating the probability that the personal information “has been, is being or will be misused”.

From that standpoint, the risk of harm associated with the loss, theft or inappropriate access of personal information may be significantly lowered by the use of appropriate encryptionFootnote 1. However, while appropriate encryption plays a significant role in reducing or eliminating the risk of harm associated with a breach, other considerations may influence its effectiveness.

For instance, as algorithms evolve, encryption standards once deemed strong may be eventually be rendered decipherable. Alternatively, organizations may also suffer compromise of its key management systems. In either case, personal information could then be easily decryptedFootnote 2.

We also recognize that not all organizations will have the systems, resources or ability to map all vulnerabilities and risks, or be in a position to effectively mitigate these with encryption. They may not be able to confirm that information has not been rendered unusable, unreadable or indecipherable, or they may not even know whether a key has been breached. In such circumstances, the use of encryption should not be equated with a low risk to individuals.

Reports to the Privacy Commissioner of Canada Reports to the Commissioner will perform a critical function in supporting the Commissioner’s oversight responsibilities with respect to how organizations respond to breaches. Accordingly, these reports should provide sufficient information so that the Office may effectively assess whether organizations are appropriately notifying individuals and evaluate whether they have applied appropriate measures to contain breaches, mitigate the risk of harm to individuals and prevent future breaches of a similar nature. Contents of the reports should also help identify and address systemic security and information-handling weaknesses.

To that end, we would suggest that the following elements be included in reports to the Commissioner:

• Name of responsible organization; • Contact information of an individual who can answer questions on behalf of the

organization; • Description of the known circumstances of the breach, including:

o Estimated number of individuals affected by the breach;

23

3

o Description of the personal information involved in the breach; o Date of the breach, if known, or alternatively estimated date or date range within

which the breach is believed to have occurred; o A list of other organizations involved in the breach, including affiliates or third

party processors; • An assessment of the risk of harm to individuals resulting from the breach; • A description of any steps planned or already taken to notify affected individuals,

including: o date of notification or timing of planned notification; o whether notification has been or will be undertaken directly or indirectly and,

when applicable, rationale for indirect notification; o a copy of the notification text or script;

• A list or description of third party organizations that were notified of the breach, pursuant to s. 10.2(1) of PIPEDA, as well as Privacy Enforcement Authorities from other jurisdictions;

• A description of mitigation measures that have been or will be undertaken to contain the breach and reduce or control the risk of harm to affected individuals,

• A description of the organization’s relevant security safeguards, taking into consideration any improvements made or committed to, to protect against the risk of a similar breach reoccurring in the future.

You will note above that we suggest including in the report to the Commissioner a summary of the organization’s risk assessment. In addition to the utility to organizations of reporting on this assessment, the information would prove useful to the OPC in observing whether organizations are over-reporting and over-estimating the risk of harm associated with certain breaches. This description could also inform the OPC’s eventual development of complementary guidance to that effect.

We would also advise that reports to the Commissioner be undertaken in written form, with appropriate flexibility with respect to actual digital or paper format. As well, while organizations should undertake every effort to ensure that the content of original reports to the Office are complete and accurate, they should also be required to provide updated information and to submit addendums to reports, as soon as feasible, when substantial information provided in the original report has changed or has been found to be inaccurate or incomplete.

Notification to Individuals The prescription of additional content requirements for notifications to individuals would provide important clarity and certainty about the type of information that organizations should communicate to individuals. With this additional information, individuals may be better able to understand the significance of the breach to them and reduce or mitigate the risk of harm.

The OPC’s “Key Steps for Organizations in Responding to Privacy Breaches” document provides a comprehensive list of elements to be included in individual notifications, and has proven effective in ensuring that individuals are provided with necessary information about breaches. Consistent with our “Key Steps” document, we would also note that the content of

24

4

notifications should be permitted to vary depending on the particular breach and the method of notification chosen. Based on this documentFootnote 3, we would propose that the following elements be specified in regulations:

• Description of the circumstances of the breach incident; • Date of the breach, if known, or alternatively estimated date or date range within which

the breach is believed to have occurred; • Description of the personal information involved in the breach; • Description of the steps taken by the organization to control or reduce the harm; • Steps the individual can take to reduce the harm or further mitigate the risk of harm; • Contact information of an individual who can answer questions about the breach on

behalf of the organization; • Information about right of recourse and complaint process under PIPEDA.

Organizations should be permitted to use a variety of communication methods to directly notify individuals, including but not limited to, in-person discussions, telephone calls, emails or mailed letters, depending on the circumstances. The regulations should be technology neutral, such that other effective digital means of communications, including those that could be developed in the future may also be used. Methods employed must be documented, verifiable, and the notice given must be in plain language and stated in such a manner that an individual can reasonably understand the information provided.

Whether in the content of the notification itself, or in selecting the method or methods of notification, organizations should ensure that they do not increase the risk of harm to the individual associated with the breach.

The discussion document seeks views on whether the regulations should set-out specific requirements for notifications to be conspicuous and distinct from other communications. Given the variety of methods that can be used to notify individuals and the highly context-specific nature of these communications, we would suggest that information on how to make notifications clearly visible and design them in a way to attract attention, might lend itself better to guidance.

Indirect notification The Office would propose that organizations only be permitted to notify individuals indirectly in specific circumstances:

• When direct notification is likely to cause undue further harm, for example when direct

notification may alert others, such as family members of the purchase of a product or access to a service by the individual which the individual would wish to keep confidential;

• When giving direct notification to every affected person on an individual basis would involve prohibitive costs to the organization and unreasonably interfere with its operations;

25

5

• When the contact information for affected individuals is not known, for instance when the contact information is unavailable, out of date, incomplete or inaccurate.

Once organizations have demonstrated that they may validly use indirect notification, they should have flexibility in how they indirectly notify affected individuals. The ways in which individuals may be indirectly notified is highly context-specific and as such, we would recommend against prescribing specific methods of indirect notification. Rather, there should be flexibility in methods used, in order to ensure that the information reaches the intended audience. To that end, our understanding is that organizations could engage in both direct and indirect notification of individuals.

We propose that a number of functional characteristics may be specified to assist organizations in maximizing the probability that indirect notification will reach affected individuals. For instance:

• The method used should reflect the geographic market of the organization’s commercial

activities along with the geographic distribution of affected individuals; • It should also be relevant to the type of product or service provided by the organization

and appropriate to the nature of the interaction between the organization and the individual;

• The notice should be posted for a sufficient length of time. As well, notices should be in clear and plain language, and stated in a manner that an individual can reasonably understand the information provided;

• Regulations should, in certain circumstances, permit indirect notification through a guardian or authorized representative where appropriate;

• As well, consideration should be given to the possibility of allowing organizations to use a third party to notify on their behalf, provided measures are taken to ensure that the accountability for notifying remains with the organization and that any disclosure and use of personal information necessary to enable notification is compliant with the Act.

Notification to Third Parties As drafted, subsection 10.1(2) is sufficiently broad and would allow an adequate range of third party organizations to be notified in support of the measure’s policy objectives.

We would not suggest that further conditions be prescribed to require organizations to notify third parties of breaches. As a privacy protection statute, PIPEDA does not compel disclosures. Rather, it is permissive in nature.

Record-Keeping The new record-keeping requirement will provide the OPC with a useful window into how organizations respond to breaches of security safeguards. As noted in the ISED Discussion Paper, it will “… provide a mechanism for the Privacy Commissioner to provide oversight of the data breach reporting and notification requirements set out in Section 10.1 of the Act.”

26

6

In his opening statement to the House of Commons Standing Committee on Industry, Science and Technology (INDU) on Bill S-4, the Digital Privacy Act, Commissioner Therrien emphasized the important role to be played by the new record keeping requirement. In particular, he noted that “…Requiring organizations to keep a record of breaches and provide a copy to my Office upon request will give my Office an important oversight function with respect to how organizations are complying with the requirement to notify.”

To that end, records kept and maintained by organizations should include sufficient information to demonstrate compliance with PIPEDA’s new notification requirements and should contain sufficient information to enable the Office to effectively perform its oversight functions. The content of these records should also assist the OPC in understanding the process through which organizations determine whether or not to notify affected individuals.

Consequently, we believe that the following data elements should be included in records of breaches:

• Date or estimated date of the breach; • General description of the circumstances of the breach; • Nature of information involved in the breach; • Summary and conclusion of the organization’s risk assessment leading to its decision

whether to notify/report or not. Note that records need not contain personal information.

All breaches, including those reported to the OPC, should be documented and recorded on an individual, non-aggregated basis. With respect to retention, we would suggest that records be maintained for a period of five years from the date of creation of the record, after which records could be destroyed, unless they are the object of or are relevant to a Commissioner investigation, audit or compliance agreement or if the matter is the object of a hearing before the Federal Court.

In the discussion document, ISED asks whether regulations should clarify that the obligation to maintain a data breach record applies only to data breaches for which the organization has actual knowledge. In our view, this would not be necessary and may in fact raise some risks. For one, such language risks organizations not putting in place measures to detect and assess breaches. It also risks them taking unnecessary steps or discussions with our Office about whether the organization knew or not about a breach.

Other Issues In response to ISED’s stated interest in hearing about any other issues that should be considered in the drafting of the regulations, the Office would suggest that in developing regulations, ISED should consider and reflect situations where affected individuals reside in jurisdictions outside of Canada. In light of the borderless nature of commercial activity, particularly in the online world, organizations that are subject to PIPEDA may collect personal information which pertains to individuals who reside outside of Canada. Generally, organizations are required by the Act to

27

7

protect the personal information under their control of all individuals, regardless of where they reside. As such, the data breach notification and reporting requirements should consider the extent to which organizations may have to notify individuals outside of Canada who may be affected by a data breach undergone by an organization subject to PIPEDA. Regulations should therefore be crafted to ensure that they do not create any barriers to or inhibit any cross-border notifications that may be required. While we would not recommend the following as a regulatory requirement, we would generally advise organizations that, when they have actual knowledge that individuals affected by a breach of security safeguards reside outside of Canada, they should consider the breach notification laws of those jurisdictions. Further, organizations should also consider notifying the relevant Privacy Enforcement Authority in those jurisdictions, where practicable and feasible.

As well, while notification aims to allow affected individuals to understand the impact of the breach to them and take steps to reduce the risk of harm or mitigate the harm, there may be challenges associated with language. It may be reasonable to require that notification to affected individuals in other jurisdictions be made in the same language as that used during their interactions with the organizations.

Finally, we note that the discussion document indicates that the new data breach requirements will come into force once the Government passes final regulations. As you develop and finalize the regulations, we would be prepared to develop guidelines that will complement the content of regulations and provide additional compliance assistance for organizations. We look forward to engaging with ISED and other stakeholders in the development of these guidelines.

Sincerely,

Original signed by

Barbara Bucknell Director, Policy and Research

28

8

Footnotes Footnote 1

In considering an appropriate level of protection, the definition of “encrypted” in California’s Data Security Breach Reporting law, (California Civil Code Section 1798.82 at subsec. 1798,.82(i)(4)) may be useful: “… “encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security”.

Return to footnote 1

Footnote 2

For reference see breach notification guidance issued by the U.S. Department of Health and Human Services: “Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.”

Return to footnote 2

Footnote 3

This is also consistent with Subsection 19.1(1) of Alberta’s Personal Information Protection Act Regulation, Alberta Regulation 366/2003.

Return to footnote 3

Date modified: 2016-06-22

29

1

Breach of Security Safeguards Regulations Submission to Innovation, Science and Economic Development Canada October 2, 2017

Jill Paterson Senior Policy Analyst Digital Policy Branch Spectrum Information Technologies and Telecommunications (SITT) Sector Innovation, Science and Economic Development Canada CD Howe Building, 235 Queen Street, Room 162D Ottawa, Ontario K1A 0H5

Dear Ms. Paterson,

Re: Breach of Security Safeguards Regulations

The Office of the Privacy Commissioner of Canada (OPC) appreciates the opportunity to provide comments on the data breach regulations published in Part 1 of the Canada Gazette, dated September 2nd 2017.Footnote 1

The draft regulations posted in the Canada Gazette address some of the recommendations our Office made to the Department of Innovation, Science and Economic Development (ISED)Footnote

2 in response to their March 2016 breach discussion document.Footnote 3

That said, a number of key issues recommended in our submission are absent in the regulations. We believe this may challenge the regulations’ ability to fully achieve the sought-after benefits to organizations, individuals and the Digital Economy.

In our view, the data breach reporting and notification regulations are a key instrument to improve security practices and consumer trust.

As a result, the OPC urges the Government to consider the following:

Content of Breach Reports to the Privacy Commissioner

Our Office believes that breach reports to the OPC provide the Privacy Commissioner with information necessary to assess the quality of organizations’ safeguards. Without this, our Office’s ability to improve security practices will be substantially hampered.

Omitting the requirement to report on the state of relevant safeguards sends a signal that prevention of breaches is less important than mitigation of breach impact after the fact.

30

2

As well, such information would give our Office the opportunity to supplement information obtained through breach records, allowing us to develop a broad understanding of the overall challenges with respect to security safeguards and breaches in the marketplace. In turn, this would support our ability to more effectively advise and guide organizations on how to improve their security practices and better protect Canadians’ personal information.

As recommended in our Office’s submission to the 2016 ISED discussion paper, we would once again urge the Government to consider that reports to the Privacy Commissioner contain an organization’s assessment of the risk of harm caused by the breach.

We believe that this crucial assessment requirement should be reflected in the data breach regulations. As the RIAS notes that the proposed requirements align with those of Alberta and the EU, we would note that this type of requirement, in some fashion, can be found in both those jurisdictions.Footnote 4

If the intent of the data breach regulations is indeed to align the laws in Canada with those in other jurisdictions to standardize an organization’s reporting requirements and promote economic interests, as the RIAS states, our Office recommends that reports to the Privacy Commissioner should include similar assessments.

In addition to the data elements required to be reported to the Privacy Commissioner in the regulations, we refer to our 2016 submission to ISED and are of the position that these reports should include:

• An assessment of the risk of harm to individuals resulting from the breach; • A list or description of third party organizations that were notified of the breach, pursuant

to s. 10.2(1) of PIPEDA, as well as Privacy Enforcement Authorities from other jurisdictions;

• A description of mitigation measures that have been or will be undertaken to contain the breach and reduce or control the risk of harm to affected individuals. Knowing what measures are being taken to prevent a further breach will be helpful from our perspective; and

• A description of the organization’s relevant security safeguards, taking into consideration any improvements made or committed to, to protect against the risk of a similar breach reoccurring in the future.

As well, we note that the RIAS suggests that the data breach reports have broader public security benefits and will play a role in terms of a “much needed repository of information on data security incidents in Canada….” While we indeed support this objective, the utility of such a repository may be impacted if reports to the Commissioner do not contain key data elements, such as the assessment of harm.

Furthermore, while the RIAS suggests that organizations can provide additional information in a report to the Privacy Commissioner if they choose to, it is unclear to what extent organizations will voluntarily report on their assessments of real risk of significant harm (RROSH) or their assessment of the types of harms.

31

3

Record Keeping Requirements Require Clarity

The RIAS notes: “The proposed regulations will affirm that the purpose of data breach record-keeping is to facilitate oversight by the Commissioner to ensure compliance with the requirements to report to the Commissioner and notify affected individuals of significant breaches. This in turn will encourage better data security practices by the organizations.”

In order for recordkeeping to fulfill the intent identified in the RIAS, it would be important to have a set of prescribed data elements to facilitate oversight by the Privacy Commissioner and help organizations to approach record keeping in a consistent manner. We would like to reference our 2016 submission to ISED and are of the position that the following data elements should be recorded for any breach:

• Date or estimated date of the breach; • General description of the circumstances of the breach; • Nature of the information involved in the breach; and • Summary and conclusion of the organization’s risk assessment leading to its decision

whether to notify/report or not.

We also note that recordkeeping requirements have only been set for a minimum of twenty four (24) months, as opposed to five (5) years, as our Office had recommended. Part of the rationale for this retention period, as per the RIAS, is that twenty four (24) months aligns with limitations on initiating civil litigation. Our Office, though, believes that if the purpose of the regulations is to support economic interests, organizational health, and consumer trust, then reliance on a retention standard based on civil liability may overlook the benefits a slightly longer retention period will provide for companies, individuals, and the digital marketplace.

Our Office also believes that two (2) years is not a sufficient time frame to develop a wholesome assessment, as five (5) years will provide a clearer picture of how the various aspects of the breach are and have been addressed by an organization. In addition, five (5) years will allow the OPC and organizations to have a better understanding of risks – this would help improve the intelligence and analytical capabilities required for the OPC to identify any systemic issues and more effectively guide organizations develop better security practices.

Coming into Force

While we understand that the coming into force of the regulations has not yet been determined, our Office notes that ISED has heard from stakeholders that this should range from six (6) to eighteen (18) months.

The OPC understands that while there may indeed be an implementation window that is required, we would also note that organizations have been aware of the overall, upcoming mandatory data breach reporting and notification requirements since the updates to the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force in June 2015.

32

4

As other jurisdictions in Canada have long had data breach reporting and notification for the private sector, and the 2018 coming into force of the GDPR has macro-level economic and political considerations, the OPC is of the view that eighteen (18) months is too long, and recommends that a shorter time period be given in order to improve the landscape for organizations and individuals and bring Canada into line globally.

Concluding Remarks

As mentioned in the RIAS, ISED has offered to work with the OPC to identify areas where guidance material is required to assist organizations in interpreting and complying with their new obligations. The OPC appreciates this offer and looks forward to our on-going positive working relationship with ISED. We believe this collaboration will be particularly helpful as guidance is developed on reports to the Privacy Commissioner, risk assessment, and record keeping.

We await the finalization of the regulations, and their imminent coming into force, and the Government’s effort and commitment to improving the privacy landscape for all stakeholders in Canada.

Sincerely,

(Original signed by)

Barbara Bucknell Director, Policy and Research

33

5

Footnotes

Footnote 1

Canada Gazette, Vol. 151, No. 35 — September 2, 2017

Return to footnote 1

Footnote 2

Office of the Privacy Commissioner of Canada, “Submission to Innovation, Science and Economic Development Canada: Discussion document on data breach notification and reporting regulations”, June 10th 2016

Return to footnote 2

Footnote 3

Innovation, Science and Economic Development Canada, “For Discussion — Data Breach Notification and Reporting Regulations”, March 4th 2016.

Return to footnote 3

Footnote 4

Alberta Personal Information Protection Act Regulation, Alberta Regulation 366/2003, with amendments up to and including Alberta Regulation 51/2010 requires that a notice provided by an organization to the Commissioner must be in writing and include “an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure” (Section 19(30(d)). In addition, the General Data Protection Regulation states that in the case of a data breach the controller shall notify the personal data breach to the supervisory authority and amongst other things, shall describe the likely consequences of the personal data breach (Article 33(c)).

Return to footnote 4

Date modified: 2017-10-10

34