Review the Personal Information Protection Act — Issue No. 3

Present: Mike Bernier, MLA (Chair); George Heyman, MLA (Deputy Chair); Donna Barnett, MLA; Dr. Doug Bing, MLA; Marvin Hunt, MLA; Doug Routley, MLA

2. The following witnesses appeared before the Committee and answered questions regarding the Personal Information Protection Act.

The following electronic version is for informational purposes only.
The printed version remains the official version.

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE PERSONAL INFORMATION PROTECTION ACT


CONTENTS
Page
Briefing: Personal Information Protection Act	19
E. Denham
M. McEvoy

M. Bernier (Chair): Good morning, everyone. Welcome again to the Special Committee to Review the Personal Information Protection Act. Thanks, everybody, for taking the time to come in this morning. We're going to maybe jump right into things.

I'd like to introduce Elizabeth Denham and Michael McEvoy, who are here from the Privacy Commissioner's office, who are going to…. There's a briefing note, basically, that everybody's had circulated.

I'm actually going to turn things over to yourself, Elizabeth. Thank you so much for coming in. Again, as we discussed beforehand, this is a different standing committee than some of the other ones — quite technical. We're looking forward to hearing from your expertise today and your ideas.

E. Denham: Thank you very much, Mr. Chair, and to all members of the committee for having me here today to share some of the experience that we've had in our office in overseeing the Personal Information Protection Act for a decade.

With me today is Deputy Commissioner Michael McEvoy, who many of you know, and in the audience there are a number of my staff, including Jay Fedorak, who's our deputy commissioner for lobbying and also assistant commissioner. I think there's a bit of a reunion going on behind us with former interns and current interns.

I'd like to begin by saying that the importance of your work on behalf of British Columbia on this committee can't be overstated, and the timing of the committee's work couldn't be more critical.

Mr. Chair, you asked a question of the government representatives two weeks ago, and you asked: "What's changed in the past six years since PIPA was reviewed?" I'd suggest to you and the committee that the landscape has changed dramatically in the past half-dozen years, when it comes to our personal information and how organizations collect, use and increasingly share it. If you think about this, how many of you use Facebook, Twitter or carry a smartphone? Six years ago, Facebook was emerging from infancy, tweeting was something that the birds did, and people were only being introduced to the idea that phones could be smart.

Facebook now has a billion users, 20 million in Canada. Twitter now ranks as one of the world's largest social media sites, and close to one-quarter of us around the world carry a smartphone loaded with apps.

Some of us choose to share more personal information than others on these platforms, but whatever the case, more and more organizations like social media companies and retailers have a lot of information about us, much of that information sensitive data. In fact, in a very, very short period, the advances of computing power and the massive explosion in the scale of data that organizations collect and store about us have paved the way for an explosion in the role that personal information plays in the digital economy.

With those changes come risks that our personal information is used in ways that may be intrusive, may be illegal or, certainly, in ways that we didn't anticipate. In some cases, our personal information is at risk of being stolen because of lapses in privacy and security measures.

The consequence of a privacy breach is exponentially greater than it was six years ago. If you think of some of the recent examples of eBay and Target, Heartbleed…. I'll have more to say about those later.

Mr. Chair and members of the committee, it's hardly surprising that in this environment, the public is far more aware of and far more concerned about how their personal information is cared for. I was just scanning some headlines over the last ten days — editorials across the country. I'll just read you some of them. "An Attack on our Privacy," National Post, May 26. "Tighten Police Database Rules to Safeguard Privacy," Toronto Star, May 26. "Our Privacy Under Attack," an editorial in The Chronicle Herald, May 26.

May 21, Globe and Mail: "Canada Needs a Royal Commission on Spying and Privacy of Canadians." Times Colonist, May 11: "Rewrite Laws to Guard Privacy."

I've been in the privacy biz for about 15 years and never have I seen so much public interest, concern and engagement in the protection of our personal information. In fact, the word "privacy" was named the 2013 word of the year by Dictionary.com.

There are increasing demands for strong privacy laws, for active regulators and more transparency. Privacy matters to each of us because our emotional and our physical well-being depend on it.

It's unimaginable to think of going to your doctor or your lawyer or your counsellor without any expectation that the personal information you provide during those sessions would remain private and confidential.

Privacy also matters because our economy depends on it. Imagine going to a credit union to get a mortgage, to a lawyer for family law advice or to an Internet site to book a hotel without any guarantees that the information that you provide would be safeguarded and kept confidential. When that confidence is breached, the economic consequences can be staggering for both the individual and for the business involved.

That privacy matters to Canadians is confirmed by a number of surveys, but the most tangible evidence for
[ Page 20 ]
me of British Columbians' concern about privacy can be seen in the increase of privacy-related matters that come to our office.

I think most of you know that I'm responsible for, among other things, dealing with concerns that individual British Columbians have about how private sector organizations manage their personal information. Since 2008, when PIPA was last reviewed, the annual number of complaints has jumped by approximately 50 percent. The number of voluntary notices that my office receives about privacy breaches has risen by 100 percent.

Chair and committee members, against the backdrop of these changes, it's my view that we have to ensure that the laws that govern the protection of our personal information in the corporate sector meet the expectations of consumers, of employees and of organizations alike.

If I think about it, I would say PIPA does a pretty good job of balancing the rights of individuals to have their privacy protected against the needs of organizations to collect, use and disclose it for reasonable business purposes. But — and this is a major "but" — some key reforms are required, or we are at risk of falling behind other jurisdictions.

Before I take you to just a few pressure points for reform, I think it might be helpful to just provide you with a brief background on PIPA and a background on the role of my office.

As the Information and Privacy Commissioner for British Columbia, I'm responsible for oversight of both the Freedom of Information and Protection of Privacy Act, which is the law that applies to the public sector, and the Personal Information Protection Act that applies to the commercial and the not-for-profit sector.

PIPA was enacted to alleviate customer concerns about privacy and to allow British Columbia's business community to compete in the Canadian and the global digital economy. So the policy goal of the statute is to build trust in commerce. You heard from the government representatives a couple of weeks ago. PIPA is one component in a chain of assurance for trade and commerce within Canada and beyond Canada. The act assures our trading partners that transborder data flows of personal information will be adequately protected.

A stunning statistic: PIPA applies to more than 380,000 organizations operating in the private sector in British Columbia. I don't repeat that figure too often to the staff in my office, because I keep saying that we've got a small team, big mandate.

There's a broad spectrum of organizations that are subject to the law, including law firms, physicians' offices, credit unions, investment firms, insurers, charities, strata councils and even political parties.

PIPA contains the rules for collection, use, disclosure and security of personal data held by organizations. It also gives individuals a legal right of access to their own personal information and a right to request correction of it.

Customers and employees of private sector businesses can ask our office to review matters where they're not satisfied with how an organization has responded to a request for access to their personal information. Individuals may also make a complaint to our office about the collection, use, disclosure or protection of their personal information.

How do we handle this? We investigate the circumstances of the complaint, we consider the relevant provisions of PIPA, and, where practicable, we seek a resolution that's acceptable to both parties. We are successful 97 percent of the time in finding a successful resolution, but individuals or organizations that are not satisfied with the suggested resolution have the option of asking the commissioner to conduct an inquiry. An inquiry is formal adjudication of a complaint. Adjudicators in our office make legally binding decisions in orders that are enforceable by a court.

I mentioned a few moments ago the jump in PIPA matters coming to our office in the past six years. In 2013-14 alone we received 156 complaints and 58 requests for review, and we issued five orders. The orders issued by my office include complaints about GPS tracking by employers, video surveillance in a condo complex here in Victoria and also the scanning of drivers' licences at a bar in Vancouver.

These cases were outlined in the submission before you. Really, I chose them to illustrate the scope of PIPA and how it applies to new technologies.

Enforcement powers are not the only means of ensuring that organizations comply with the law. We have other tools in our toolbox. Compliance also comes through education and advice. We try to take every opportunity to educate organizations about their obligations and educate individuals about their rights under the law.

We have a new, award-winning website that provides comprehensive information about the requirements of PIPA and the work of our office. It provides easy access to the many guidance documents that we've published over the years. We also try to get out to speak to consumer groups, to communities such as seniors and patients and others that may not routinely or regularly access the web.

In terms of educating businesses and non-profits, one really important publication with the very provocative title of Getting Accountability Right with a Privacy Management Program clearly sets out the fundamental building blocks of a privacy management program necessary for compliance with the law. We produced this document in collaboration with our federal and our Alberta colleagues. It's practical, and it's a step-by-step approach that has received international attention. I've presented that to numerous industry groups at conferences, etc.

This document is important because it also outlines the basis on which we conduct an audit of an organization's privacy and security program — so no surprises for businesses.
[ Page 21 ]

With respect to the use of technologies, we've produced guidelines for a security self-assessment for small business, cloud computing, mobile apps, video surveillance, on-line consent and social media background checks. There's a list of these guidelines in the submission.

Our other outreach activities include meeting with and delivering presentations to industry groups, to chambers of commerce, and also hosting and participating in conferences for the private sector. This past fall we hosted a sold-out conference in Vancouver that attracted 500 privacy and security practitioners from B.C. and beyond.

It's also essential that I work closely with counterparts in Canada and beyond. I collaborate regularly with the Alberta and the federal offices because we share the jurisdiction for the private sector, but we're also involved in the Global Privacy Enforcement Network and the Asia Pacific Privacy Authorities. These are opportunities for information-sharing and coordination of our regulatory responsibilities vis-à-vis multinational corporations, and they're invaluable.

Because of British Columbia's economic connections with Asia, my office is taking on a very active role with Asia Pacific Privacy Authorities. In fact, we're hosting a forum of this group in December in Vancouver.

I'm going to pause here. I have about ten more minutes of speaking points, but here's my pitch for reform. This is the part that I know you're keenly interested in.

I alluded earlier to some key areas of PIPA that require reform if we're going to meet the challenges of raising public expectations as well as business and trade imperatives. Although there are other recommendations from the previous committee's work that really warrant your support, I'd like to spend the balance of the presentation focusing on three matters for your consideration. These are also outlined in my submission.

The most significant of the three I referred to earlier: breaches and the lack of mandatory notification. An important function of my office is to investigate and monitor privacy breaches. Breaches are a serious threat to our personal information as individuals and also are a serious threat to organizations. They undermine customer trust, and they can be very expensive for all parties to clean up.

I just want to mention privacy breaches at Target and eBay, because I think they're graphic illustrations of the catastrophic consequence of a major privacy breach.

As many of you know, the U.S. retailer Target experienced a breach last year where hackers exposed the data of up to 110 million customers who used credit and debit cards at the store. The breaches had a significant negative effect on profits, and recently the chief executive officer and the chief information officer have resigned.

When it comes to eBay, hackers raided its network three months ago, accessing 145 million user records, of which they copied a large part. The records contained passwords as well as e-mail addresses, birthdates, mailing addresses and other personal information. That's one of the biggest data breaches in history, based on the number of accounts compromised.

Closer to home, the Kamloops branch of LifeLabs sent a computer to their main office in Burnaby for servicing in January 2013, but when it was returned, the hard drive was missing. The hard drive held the results of ECGs, or electrocardiograms, gathered at three facilities between 2007 and 2013. The hard drive included personal information of 16,000 patients, including name, address, personal health number, height, age, gender and the ECG results.

While there is some research that suggests that, overall, organizations expect to increase IT security spending to better protect their data from theft and attack, other research suggests that organizations are not focusing enough resources in this area. We think more attention needs to be paid to these issues. That's the reason why my major and most significant recommendation to the committee for reform of PIPA is mandatory breach notification.

Both the commissioner of the day and the committee called for this amendment in 2008. This amendment would require organizations to notify both my office and affected individuals in the event of a privacy breach that creates a real risk of significant harm.

An expressed duty to notify in appropriate cases would strengthen the oversight of my office in relation to privacy protection in the private sector. It would level the playing field for organizations. Right now those that voluntarily report to our office face reputational damage and the cost of cleaning up, while those who don't report may escape with no negative effects on their reputation or their bottom line.

Mandatory breach reporting would also help to drive compliance by organizations, acting as a kind of preventative medicine that would move companies to implement and invest in better privacy and security practices to avoid having to disclose a breach.

This requirement, as you know, already exists in the Alberta law. It's also a proposed amendment in Bill S-4, the Digital Privacy Act, which will amend the federal law, PIPEDA, and it's being added to most of the 101 data protection laws around the world.

There's a good policy reason for harmonization among private sector privacy laws in Canada. Given that many businesses operate nationally or even internationally, it's confusing and it's difficult for businesses to have to comply with different requirements depending on whether they're federally regulated or provincially regulated or in what province the service is that they provide. Harmonized laws will facilitate the understanding of organizations about their legal obligations, and harmonization promotes better compliance.

Harmonization also makes sense from a consumer's
[ Page 22 ]
perspective. It would be very troubling to have a situation where customers in Alberta were notified of a privacy breach but consumers in B.C., affected by the same breach and the same company, were not. Without the duty to notify that exists in other jurisdictions, there is a real risk that B.C. could become a haven for bad actors.

Mandatory breach provisions would bring B.C.'s PIPA in line with other jurisdictions.

In short — not so short — I think the arguments in favour of implementing mandatory breach notification are even more compelling today than they were in 2008. I will be providing more detail about a framework for mandatory reporting in my next submission, expected to be provided in the fall or whenever it's most convenient for your deliberations. I think a framework for B.C. has to be harmonized, but it also has to be flexible, and it needs to recognize the business community in B.C., which is made up of a lot of small businesses and microbusinesses, as well as a lot of start-ups.

Moving on to my second most important area for reform, the submission in front of you makes references to a number of changes that I believe are important, including those to deal with the Supreme Court of Canada's decision referred to as the UFCW case. I'm not going to go into those here, and I would commend my written submission to you on those matters. I'm prepared to answer any questions.

I'm only going to mention two other things. The first involves the authority of the commissioner to make an order in the absence of a complaint from an individual. Now, this on its face may sound bureaucratic, or it may sound like a minor matter, but it's especially problematic because, while my office may conduct an investigation that's not initiated in response to a specific complaint, at present I'm not able to issue an order where such an investigation is warranted.

Our office used to operate in a fairly reactive way. We used to sit back and wait for individual complaints to come through the door. But in today's world, where data processing is not transparent, where it's complex, where it's opaque and it happens with multiple parties, people are not even aware of where their personal information is being processed, how it's being used and disclosed. So they don't even know what to complain about.

Oftentimes — because of our research, and because we stay abreast of the implementation of new technologies — we go in and we conduct an investigation on our own motion. But an investigation initiated by the commissioner can't end in an order that compels a company to implement corrective measures or to cease collecting, using or disclosing information. Without an individual complaint, I can merely make recommendations for change. So in my view, this gap in the commissioner's powers needs to be corrected.

The final matter that I draw to your attention concerns warrantless disclosures of personal information. Section 18(1)(j) of PIPA gives broad authority for organizations to disclose information to a government agency or law enforcement without the knowledge or consent of the individual and without a judicial warrant.

At present, companies have the discretion to comply with a request, or they can refuse to release personal information without a court-authorized order. Many companies have told me that they refuse warrantless requests, but others are less resistant to the requests because of the broad language in this section of the statute.

We have no way of knowing the scale, the number, the frequency or the reason for these disclosures. There are no provisions in the law requiring organizations to report on warrantless disclosures, and British Columbians that seek to access their personal information would likely find it difficult to even know if a company had disclosed their data.

Canadians and British Columbians have expressed significant concerns about warrantless access by law enforcement agencies, particularly at the federal level, in the debate surrounding lawful-access legislation such as Bill C-30 and Bill C-13, the cyberbullying bill that's before Parliament at present.

It's apparent that individuals expect greater transparency with respect to these types of provisions. Given public concern, the broad authority for warrantless disclosures in B.C.'s PIPA should be reconsidered by the committee.

In conclusion, I want to commend the committee for undertaking this very critical and timely review of PIPA. We've had an explosion in the privacy world, much of it generated by technology. I hope that I've painted a picture to you of the environment in which we operate right now. I think privacy protection is more important than ever to British Columbians, and strong private sector privacy law is critical.

I look forward to contributing to this process and will be studying the submissions by stakeholders so that we can respond in a more comprehensive way in the fall. Thank you for the opportunity. I'm happy to take any questions you may have.

M. Bernier (Chair): Well, thank you so much for all that information. We will go around the room, if there are any questions at this point. We'll start with Doug.

D. Routley: Thank you, Commissioner Denham, for the presentation. I really appreciate it. I participated in the review of FIPPA and was in a critic role that covered FIPPA and freedom of information and privacy protection from a public point of view, so this is really intriguing to me.

I'll start by disclosing a fairly extreme bias in that I do believe that privacy is an essential right of every citizen. It's as essential a right as the right to a free trial. We
[ Page 23 ]
have as citizens, as the commissioner points out in her introduction, the right to be unobserved and the right to maintain a private life separate and apart from our public life. This is essential to us.

It was pointed out by Dave Nikolejsin, who was in a high-level bureaucratic position administering FIPPA in the past, that a breach of private information is something that a company can make whole. If a company like VISA loses your information and someone charges fraudulently to your card, the company can make you whole, and that's more or less the end of the matter. Whereas with private public information held by the government — like your health information, primarily, but many other issues as well — there's no way to make it whole. Once the bell is rung, it's out there, and there's no way to pull that back.

I think that maybe — and I'd like the commissioner's opinion of this — when PIPA was introduced, it dealt primarily with that fairly superficial level of privacy, that we're protecting somebody's economic interests, their financial well-being. But now that organizations hold information, like the information that might be disclosed in a warrantless disclosure by a company like a web-service company, then we begin to include aspects of people's lives that are more than simply economic transactions that could be made whole if there's a breach. The consequences of breaches under PIPA have been magnified by the scope of the information that organizations hold.

Everyone assumes since the first crime drama they read or watched that the police will need a warrant to listen to our communications — when they were by telephone, a land line. Now we have all these other modes of communication that are personal, like our texting or Facebook and all the other modes, that are being shared without warrant and without our knowledge.

I wonder if the commissioner feels that there's a heightened sense of urgency in dealing with the heightened consequences that come from the scope of what we're dealing with.

E. Denham: I agree that probably ten years ago, when PIPA was enacted, we were dealing with something that seemed relatively easy to control — private sector data, data in the hands of a credit union, of a law firm, of a daycare, of a counselling facility — and we could understand what the risks are, but I think increasingly there's a blurring of lines between the private sector and the public sector. Warrantless disclosures are concerning to Canadians and British Columbians partly because of that.

Because we live so much of our lives on line, I think it's increasingly a risk. Somebody said to me — I think it was in our budget presentation: "Well, we shouldn't really worry about the public sector. We should worry about Facebook, because they're mining all of our data. We're putting all our private data on Facebook." I said, "Well, Facebook doesn't show up at your door at three o'clock in the morning," but increasingly, law enforcement has access to private sector data.

I think in the discussions in the 2008 review of PIPA, this matter was not discussed. I think now we're more concerned about law enforcement access and government access to private sector data: the co-opting of the private sector for use by the public sector.

At minimum, we need transparency around the extent of these disclosures and how useful warrantless disclosures are in law enforcement. We need to get the balance right between personal privacy and public safety. I think it's up to this committee to look at that issue in light of our own provincial legislation, in the same way it's being examined at the federal level.

M. Hunt: You used a most interesting word, which I was going to use. Well, I was sitting there arguing with myself about what was happening, then you used the word, so I thought: "Okay, I'll camp on you using the word 'balance.'"

I look forward to your arguments for both 4.2 and 4.3. I think I can turn 4.2, which is the commissioner-initiated investigations, and I would argue: "Where is the threshold for warrantless investigations of the commissioner?" You see?

I have had the…. We'll call it "pleasure" of being abused by the federal system, in situations that I'm not about to explain, where we had warrantless investigations that were just basically harassment — period. Full stop.

My concern is: with both of those, where are we going to find that balance? I don't disagree with the concept of having a higher bar in the concept of warrantless disclosures, but by the same token, warrants, subpoenas, orders of the court are also a very high standard. I'm not sure that that highest standard…. Forcing everything to that highest standard can also, to me, be an abuse of the legal system. We just get more and more stuff tied up in the legal system, and we turn as litigious as the United States is.

I'm looking forward to your balance that you're going to propose to us in this, both on the high side and the low side for both of those issues.

E. Denham: I think that's a very important question, but the law doesn't allow me to just enter premises willy-nilly to initiate an investigation. There has to be reasonable grounds to suspect that there has been a contravention of the law, so I can't just decide that I'm waking up one morning and I'm going to go down the street and investigate Tim Hortons or investigate a daycare down the street. I have to have reasonable grounds.

We're very, very careful. Again, right now I'm doing an investigation of the collection and scanning of drivers' licences by car dealerships who are alleged to then
[ Page 24 ]
move that information into their customer relationship management software system. Without individuals understanding that, they're test-driving a car. They have to show that they are a licensed driver. Now their driver's licence information is being retained by the company and used for marketing and contact without their consent.

For me to initiate that investigation without a complaint, all I can do at the end of the day is make recommendation. I can't order a company to cease and desist that kind of collection without notice and consent, without reasonable purposes, so that's really what I'm asking for there. It's the ability to issue an order and not just soft recommendations at the end of a commissioner-initiated investigation.

M. Hunt: Again, I think the balance of "reasonable grounds" and who is defining those reasonable grounds will become an interesting part of the dialogue and ultimately how the recommendations go forward.

E. Denham: I think Michael is going to add something, if that's okay, Mr. Chair.

M. McEvoy: With respect to the commissioner-initiated investigations and, of course, with respect to an individual who might complain about somebody, there is an existing mechanism within the legislation now that would allow the commissioner to disregard a complaint that would be frivolous or vexatious, so it would be meant to harass an individual or whatever.

The mechanism exists with respect to those individual complaints to deal with that now. It was recognized when the original drafters put this together that that could be a problem. The mechanism is there, and it's been used both in a PIPA context and also in the freedom-of-information context.

G. Heyman (Deputy Chair): I have a series of questions, Chair. Would you rather I ask all of them and wait for the answers or take several turns or ask them one at a time?

M. Bernier (Chair): Presently nobody else has put their hand up, so I would just turn it to you for now.

G. Heyman (Deputy Chair): Thank you, commissioner, for your presentation. My first question has to do with mandatory reporting or mandatory notification of breaches. I'm wondering if you can save me some research, in case you know the reason for initially omitting this from B.C.'s legislation — as well as what, in your opinion or in your knowledge, is the reason that this recommendation and others from the last review have failed to be implemented up to this point.

E. Denham: I think that's a question for government. We made our submission. The committee agreed with many of the recommendations, including mandatory breach notification, but also, to be fair, in 2008 I don't think the cost and the threat and the implications of a data breach were as well known as they are now.

I was trying to find some statistics on this issue last night, and it's almost impossible to know how many breaches have occurred, let's say, in the last year in British Columbia. How would we know that? There's only a system of voluntary reporting.

IBM Canada had some really interesting statistics. Because they provide the network for so many private sector companies, they have a statistic that there's been a 38 percent increase in significant data breaches in Canada in the last year.

I think between cyber crime, the kinds of sophisticated attacks that can be made on our information technology systems…. Because of the extent and the number of Canadians that have experienced identity theft, I think this is a very real and very serious problem. I think if you talk to the average person on the street, they will say: "We need to do something about this."

Mandatory breach notification is not a perfect system, but I think it's an incentive for companies to focus on the protection of personal information and the security of personal information. There's nothing like a new legal provision to get the attention of businesses, and I think consumers expect it.

G. Heyman (Deputy Chair): And you have no particular opinion or information regarding the essentially five-year-plus delay in implementing the recommendation that was made by the last committee?

E. Denham: I don't have knowledge of that. I was appointed in 2010, so that was after the consideration of that report.

G. Heyman (Deputy Chair): If you could, if you're willing to, in your submission or in some other form, by letter…. If there is some history of your office communicating with government that is not privileged and confidential regarding the urging of implementation, with rationales for implementation of that recommendation, I'd find that useful. Hopefully, the committee would as well.

I'm also wondering if you have any knowledge of jurisdictions where there is in fact a mandatory notification provision and if there is any history of failure to comply and subsequent prosecution or administrative action with respect to that.

E. Denham: Of course, right across the mountains in Alberta they've had mandatory breach notification in the
[ Page 25 ]
private sector since 2010. There has been a proposal made recently in Alberta for mandatory breach notification in the health sector as well. That exists elsewhere in Canada — mandatory breach notification in the health sector.

In Alberta they have had almost four years' experience. I don't think there was a prosecution or an offence investigation laid for failure to notify, but there have been a significant number of reports made to the Alberta office.

Here's a population smaller than British Columbia, and they've had twice the reports that we've had in British Columbia. We've got 50 breach reports in B.C. Somehow, out of 380,000 organizations in British Columbia, I think there have been more than 50 breaches, and that's what we've had for voluntary notices.

M. McEvoy: Not that I'm aware of. I think the experience in Alberta…. I heard the commissioner recently speak on this topic. If anything, companies will sometimes err of the side of caution, not wondering if it's a significant breach or not. That's probably not a bad practice — to err on that side of caution.

I think it gives some indication of when you've got a law like this place, the word spreads. Organizations and businesses become aware of it and understand it's good practice for customers and the business alike.

G. Heyman (Deputy Chair): Essentially, you're saying it's effective, and compliance, or fear of non-compliance, isn't really an issue.

E. Denham: I think it is. I think because 47 out of 50 states in the U.S. have mandatory breach notification, larger companies are completely familiar with regimes like this. The challenge is to the small and medium-sized organizations. Again, the model for B.C. has to take into consideration the needs of the specific types of businesses that make up our community here.

That's my point about there being an unequal playing field for business. You know, the good guys are voluntarily notifying our office, but there are many, many companies that are likely experiencing significant breaches, and they're not notifying their customers. They're not telling our office, and that goes to trust of consumers. I think it's really an important addition to our legal framework.

G. Heyman (Deputy Chair): Thank you. On the issue of unwarranted disclosures, currently Bill C-13 is before the federal parliament. It's getting a lot of attention in the media. It's getting a lot of political attention. But it has also brought significant commentary from experts in the field and privacy commissioners, including yourself.

I'm wondering if you could tell the committee, in your opinion, if in fact it passes, how that impacts our ability in British Columbia to make recommendations that may be inconsistent with that act — how the acts would interact.

E. Denham: If the cyberbullying legislation passes — and that's C-13 — then law enforcement would have…. There would be a lower threshold for them to obtain production orders for data related to certain crimes. I don't see that there would be a conflict with our law because, again, our law has a discretionary ability of businesses to release information to law enforcement. It goes to the level of evidence necessary to get a production order.

If you're asking me about S-4, which is the Digital Privacy Act, there could be an inconsistency between those two statutes. But I also want to say that the B.C. provision in 18(1)(j) is even broader than the section in S-4, because it provides for the disclosure of information even in the contemplation of an investigation.

An investigation by a law enforcement agency doesn't have to be underway. It's in contemplation of an investigation. I think that's broader language than S-4. I can actually get a more informed response to the committee in comparing those provisions if that would be helpful. I need to have them all in front of me.

G. Heyman (Deputy Chair): That would be helpful, and I may well have been referring to S-4, because I didn't do enough research.

I was just thinking of some of the international implications. A lot of these large companies…. As you mentioned, Facebook had 1.2 billion customers. They are, I presume, an American-headquartered company. So if they had a large breach of information, what could we in this country do about that?

Another thing. Hacking is such a commonly occurring thing, and sometimes there is identity theft. Things like that happen, yet as an individual you don't know if this is a widespread thing. It happens to you, and you feel that you've been affected, but you feel you have no recourse.

For example, just before Christmas a number of MLAs had their Facebook accounts hacked, and someone had taken over their accounts and was impersonating them. We had no idea whether it was just a few of us or it was all of us and if they were targeting other people. This was a very significant thing to us.

I'm also wondering…. You were saying about the goal of mitigation and not punishment. What are the consequences to companies that violate the law and don't report breaches of information?
[ Page 26 ]

E. Denham: Thank you for the questions. Starting with the first, what's the jurisdiction of British Columbia when it comes to Facebook?

Facebook operates, of course, around the world. If there are 20 million Canadians on Facebook, there are probably two to three million British Columbians on Facebook. If a company has a real and substantial connection to the province of British Columbia and if we had mandatory breach notification, then Facebook, operating in British Columbia, would have a duty to notify affected individuals — both notify them and notify my office — of a significant breach. That's the point of mandatory breach notification.

These Internet giants like Facebook and Google have to comply with local laws. Even though they're based in the Silicon Valley, they still have to comply with local laws. You know, Australia now has mandatory breach notification. If there's a breach of Facebook affecting Australian citizens, Australian Facebook users, there would be a duty to notify. So that's a point.

Enforcement is tough when you're reaching across the border into the Silicon Valley, but it has been done successfully by other data protection regulators, including Ireland, Australia, Canada, etc. That's the first question.

Secondly, what can we do? Individuals whose information has been compromised through hacking or through insecure sites…. Again, that's the point of mandatory breach notification. It's the necessity, the legal requirement, of a company to notify you that your information has been hacked, that you've been impersonated, so that you can take steps to protect yourself. Otherwise, it goes on without your knowledge, or you stumble upon it — that somebody is impersonating you on that site.

Your third question was about our mediation success and what happens to a company if they ignore our recommendations. Is that the question? What's the consequence? Well, right now if we have a complaint, we can make an order that's legal and binding against an organization, and the courts will back us up on that. But without mandatory breach notification in our law, there's really nothing we can do because it's a completely voluntary regime at present. And I do think that's one tool that will strengthen law and strengthen compliance.

D. Routley: I think MLA Bing's question really underlines the importance of harmonization and working with other jurisdictions to find harmonization opportunities that could help us enforce our own statutes in other jurisdictions, given the overlapping way these businesses operate.

The commissioner referred to the business mix in B.C. being such a high proportion of small businesses; 97 percent of B.C. businesses have 50 or fewer employees. We're discussing a piece of legislation that applies to these megacorporations that operate globally — like Facebook, with 1.2 billion clients — versus the small business on the corner that has a customer bonus plan that can wind up being shared inappropriately.

The different consequences and the different capacities of organizations to respond to legislation need to be considered by us as we move forward. If we are considering a recommendation to government that is focused on Facebook, it may be entirely punitive to a small business operator in B.C. — like a pharmacy, for example. I wonder if the commissioner can give us a hint as to how the office intends to find a balance between those interests.

To share another anecdote that was shared at a conference on privacy a couple of years ago…. It relates to our duty as gatekeepers of this right that people expect. There was a study done that showed that more than 70 percent of Canadians considered privacy to be an essential right and freedom and of high saliency in what they consider their set of essential freedoms.

But an almost identical percentage were willing to trade their social insurance number for 30 grams of chocolate on line. So it showed that although people were highly aware of how important it is, they were unaware of the architecture of how to protect themselves.

I think that's something we need to consider as we look at what we're doing here — that we expect people under PIPA to be able to drive the whole application of the law by complaint. Under FIPPA, the freedom-of-information act that applies to government and public organizations, the commissioner can engage in an investigation without a complaint.

I think that anecdote points to that we are under-equipped as citizens to be the motivator of engaging this protection and that we need to find a way as legislators and gatekeepers of that right to empower protection of people in ways that they maybe aren't quite aware of just how important it is.

E. Denham: If I could start with your second question first. The law is a floor, right? It's a foundation. But the fact is that we now as citizens and consumers need to have some digital awareness, and we need to learn how to be digital citizens. This kind of education on how to protect yourself on line, how to actually implement the kinds of privacy controls that exist on social media sites that didn't even exist six years ago. But they're there now. Do we know how to use them?

This kind of education needs to start before we go to school, because you've seen little kids walking around with tablets. We need to learn how to protect ourselves. We need to learn how computers work. We need to learn this new ecosystem. Education is really important.

One of the things we try to do in our office, through our website and through partnering with organizations
[ Page 27 ]
and through presentations, is to build awareness of privacy and security, especially among vulnerable groups like seniors and children. We have a summer student who is starting with us in a month or so, who is on a youth privacy project. How do we raise awareness among youth of the need to protect themselves? It's education. It's the law. Individuals, families, parents have to play a role here.

Your first comment was about: how are we going to assist smaller businesses if there is a requirement down the road for mandatory breach notification? I would have said six years ago that it would have been really easy to draw a line between the risks faced by individuals who are customers of large organizations that process a huge amount of data. I could have drawn a line between the corner store and the corner butcher shop and these very large organizations that are really in the biz of making money from personal information.

Increasingly, it's hard to draw that line, because we have, you know, two people working in a garage, developing an application that processes a great deal of sensitive personal information. The problem is now you can't say: "There should be separate rules for small business or microbusiness and different rules for the big guys." I really think the challenge goes to how much personal information a company is processing, and if they are collecting and processing sensitive personal information, they need to step up to their obligations under the law. That's a really challenging environment.

I have some ideas on how we can educate them. I think we can do it through the other larger companies that they have connections with, telecommunications companies, accountants. People who are doing their books can actually translate for them what their obligations are. But it's not as easy as it was six years ago, Doug, to be able to draw a line and say: "Rules for the big guys; different rules for the little guys." We certainly would plan a lot of education materials and connecting with industry groups.

M. Hunt: I think there also needs to be a definition of what we are calling "sensitive personal information." If we take…. Let's pick on Facebook and Twitter for a moment. That's simply the modern, digital version of gossip. Before, we had the neighbourhood gossip that you told information to, and it went all over the neighbourhood. We never had rules concerning the gossip except for defamation of character, libel, those kinds of things. But such is life.

You know, you tell one person, and that's your stupidity, your lack of social awareness, whatever words we want to use for those sorts of things. I just have a concern in this that we have, if I can say it this way, a separation between somebody hacking my Twitter account or my Facebook account and mandatory notification of that.

I can imagine…. With — and we'll use your numbers — approximations of 2 million B.C. accounts, I'm going to say that some account is hacked every day. Obviously — well, at least from my perspective — I would not be expecting mandatory notifications every day coming to you from Twitter saying somebody's account was hacked. And by the same token, how in the world is Facebook or Twitter going to know that somebody's account is hacked? Usually, I only find out because somebody says: "Marvin, I didn't realize that you lost 40 pounds in the last three days. I think you'd better check your account. I think you've been hacked." You know, that's how I found out that my account had been hacked.

I think there's the balance and the difference between that and Visa or MasterCard or those sorts of things. I see a world of difference between the two, and I just look forward to the discussions as we deal with this — how we separate those two worlds from each other.

E. Denham: You're exactly right, Marvin. The really tricky part is getting the threshold of reporting right. Luckily, other jurisdictions have gone there before us, and we can learn from them, while also recognizing the need to harmonize with Alberta and the federal Digital Privacy Act, which has a framework for mandatory breach. But the organization, first of all, has to be aware of the breach or should have been reasonably aware of the breach, and secondly: real risk of significant harm to the reputation, to the identity, to the financial capacity of the individual. So, you know, it's a pretty high bar — real risk of significant harm.

Many privacy advocates think that bar is too high. They think it should be something like a material breach, which is a lower threshold. But it's going to be really important that this committee hear from stakeholders about the threshold. You don't want overreporting. You don't want notification fatigue. I don't want to be a register of faxes gone awry. That's not good use of our office. We want to hear about significant breaches that affect the reputation, the financial interests and the health interests of individuals.

M. Hunt: Mr. Chair, a supplementary. I would look forward to, when you report to us, that when you're analyzing or contacting other jurisdictions that have these provisions…. If we can be so blunt as to get them to be blunt back to us in what's making sense and what's not making sense in the current legislation that you have. Instead of us simply replicating legislation because it's there, let's do the critique of their legislation or have them do the critique of their own legislation so that we don't just go blindly following the pied piper and end up in a mistake at the end of it simply because we're following what somebody else did.

E. Denham: I couldn't agree with you more. Some of the business groups that I've spoken to about mandatory breach notification, such as the B.C. Business Council, have said to me: "We expect it's coming. It needs to be
[ Page 28 ]
practical. It needs to be harmonized. And you've got to get the threshold right." So there are going to be many groups with opinions on this, and we will certainly do our homework and try to get the real story behind the scenes from the regulators.

G. Heyman (Deputy Chair): I have two questions for the commissioner. The first one is whether you can just give a very brief summary of the Supreme Court rationale in the Alberta versus UFCW decision or appeal.

The second one is whether you have given any thought to, or plan to give any thought to the…. You mentioned earlier — just to give it some context — that the line between the public and private sector is becoming somewhat blurred. I would agree with that in that there's certainly extensive and always has been use of private sector suppliers of increasingly information technology services to government, even if they're administering it. More recently — or, at least, not that recently; in the last decade or so — there's been significant contracting of the management and complete administration of that work.

Have you given any thought to when we contemplate protection of privacy in this realm, what interface or potential conflicts there could be between measures we take in British Columbia legislatively and orders issued by the United States — the FISA court — the Foreign Intelligence Surveillance Act courts, which are closed courts, and which operate under the U.S.A. Patriot Act?

E. Denham: Okay. I'm going to start with the easy part of your question, which is a summary of the UFCW case. The Supreme Court of Canada ruled three months ago that the PIPA legislation in Alberta, which is very similar to the legislation in B.C., was unconstitutional to the extent that it frustrated the freedom of expression of a union — okay?

What was happening is that people were crossing a picket line in a union dispute, and the union was capturing photographs and alleging to post them on line. An adjudicator in the Alberta office said that posting those pictures on line was a contravention of the Personal Information Protection Act because they were posting those pictures without consent and without notification of the individual.

The Supreme Court of Canada overturned that ruling and said that picketing and labour disputes were a very important event in Canada, and it was protected activity. Therefore, the legislation should not prevent a union from photographing or collecting personal information in that public place.

To the extent that the law frustrated the freedom of expression that's protected under our constitution, the Alberta Legislature was told to revise their law.

The Alberta commissioner and the Alberta government is looking at an amendment to the Alberta law, which is narrow — the fix is very narrow in the law — it would allow the collection, use and disclosure of personal information to be collected in the context of a legal strike.

That's really an exception to the requirement for consent. I've written to our government. I've written to the Minister of Justice to suggest that such a narrow fix would also be required in our law.

G. Heyman (Deputy Chair): No, it's quite clear. I'd just ask a brief clarifying question. Should I assume, then, if somebody is walking down Belleville Street and takes a photograph of the Legislature, which includes a couple of other members of the public, that they're not allowed to post that on line?

E. Denham: Your example is an individual can do anything under the law. PIPA does not actually regulate the personal or domestic activities of an individual. The Alberta case was about a union, so that was an organization that was collecting information and a union in Alberta, in the same way as a union in British Columbia is subject to the Personal Information Protection Act.

Again, these stresses and strains between protection of personal information and freedom of expression are really live issues for data protection legislation around the world. It's a very interesting case.

M. McEvoy: I just would add to that. The commissioner has been in discussions with the commissioner in Alberta as well as the Minister of Justice here. I think, further along the theme of harmonization, it's really important. The Supreme Court of Canada gave Alberta one year to fix the problem, and clearly, the same issues are at stake in British Columbia. So whatever happens here, I think it should be in lockstep with Alberta so that there's a uniformity of approach, given virtually the same legislation.

E. Denham: Now for the hard part of George's question. George, you're asking me whether or not our office has examined the issue of the long arm of American law to reach into Canada and Canadian companies to compel the disclosure of personal information subject to a FISA Court order or subject to the Patriot Act.

G. Heyman (Deputy Chair): Whether you've looked at it, given it any thought or plan to give it any thought…. It's not just Canadian companies; it would be American companies operating in Canada…

G. Heyman (Deputy Chair): …or subsidiaries of
[ Page 29 ]
American companies that are owned by American companies, which are in fact Canadian companies but owned elsewhere. I believe the Patriot Act applies to those as well.

E. Denham: I believe it does as well. These are very technical legal questions around corporate law, but it's obvious to me that if there is a subsidiary of an American company, if there is an American company wholly owned and operating in Canada, they would be subject to such disclosures. They would be secret, and Canadians wouldn't know about them. American companies have the lawful authority to respond to legal orders that would come from a FISA Court or would come from an American law enforcement agency.

Where we have started to look at it is in terms of the public sector. For the public sector in British Columbia, there is a prohibition against transborder data flow, so public bodies cannot access and store personal information outside of Canada without the consent of the individual or without a ministerial order, etc.

The problem comes when there's a private sector organization doing work on behalf of a public body. What's the proper corporate arrangement that shields that organization from lawful access disclosures from U.S. bodies? What we're looking at is what kind of legal and corporate arrangement would shield the application of American orders from those operations in Canada.

G. Heyman (Deputy Chair): That may be relevant to our discussion and deliberation — although, as you've pointed out, much of it's in secret. There's the potential for laws to be in conflict, and we may never know. So to some extent, there may be limits to what we can do. But I think it's worth our contemplation.

E. Denham: Yeah. In Alberta there was an amendment made, I think around 2010, that requires private sector companies to notify on their website, or make public, when information is being transferred across borders for processing. It's a transparency requirement that was added to the Alberta law.

I haven't studied that. I haven't studied the implications of that. But just to let you know that in their private sector law there was an amendment made for transparency.

G. Heyman (Deputy Chair): There have been experts who believe that it's not just data that crosses the border that's at risk; it's data housed in Canada but housed by an American-owned corporation in Canada. As long as they have access to the data, the reach of the FISA Court could extend into Canada. So I hope you're actually reviewing that and will be able, at some point, to give us the benefit of your assessment.

M. McEvoy: From the legal perspective, it's often a factual context where the court will look at: how much control does the parent body have of the subsidiary, or what is the relationship between the two bodies? Practically speaking, if you can get your hands on the information, then a court would likely rule, and that's subject to enforcement.

The courts will also look at factors like… Just for example, if British Columbia had a law saying it's kind of hands off data from outside, a court in the U.S. would look at that and take that into account, but that wouldn't definitely be binding on the court. They could still reach in.

It's often contextually driven. As the commissioner indicated, we're continuing to further study it because it is of some significance, particularly in the public body side of things.

E. Denham: There is jurisprudence from other courts in other countries that have looked at the reach of American law — South American countries, for example.

We're getting fairly close to the end here, but I'm going to go to Doug Routley next.

The commissioner indicated that, essentially, there is a reputational cost. The example of Target was given as a reputational cost of a breach, that Target's profits fell 46 percent in the quarter following their major breach of 110 million customers' information. The chief executive officer and chief information officer resigned, and they estimated that it cost them $61 million. So it's a very, very significant penalty that was imposed on them.

First of all, I'd like to know if there was mandatory reporting of that. Was it driven by mandatory reporting? Does the commissioner have examples of breaches that were discovered that had not been voluntarily disclosed?

I think we're setting up a situation where…. I believe everybody would agree that it's ethical for a company to disclose a breach and that that would define good corporate behaviour. But if the costs are so extraordinarily high to the reputation versus the chance that they might scoot by without that cost by not disclosing….

Can she offer, maybe in your subsequent report, examples of instances where mandatory reporting wasn't
[ Page 30 ]
in place and where voluntary reporting didn't take place but subsequently there was a discovery of a breach? We could see, then, that we're setting up a very imbalanced playing field for businesses. Businesses that want to behave in an ethical fashion are essentially facing huge penalties for complying with something that isn't required, necessarily, by law.

The other piece that I wanted to ask the commissioner about, which I'm very interested in, is this overlap between FIPPA and PIPA that was indicated by the last question. We have the private corporations doing business for government, which is happening more and more in B.C. — the contracting out of work by government to private organizations, but also, not-for-profit organizations in the social services side. The definition of a public body, under FIPPA, is broad. It's specific, but it captures a broad range of organizations. Is there overlap between the definition of a public body and a private body under the two acts?

I think we should be very concerned about that. Not only are we facing a situation where perhaps people's information is vulnerable to foreign access; but also, as is indicated here in the transparency requirements for warrantless disclosures within Canada, an organization doing business on behalf of government could, without warrant, be disclosing highly personal information, particularly health information, if they're doing work, like counselling work, on behalf of a non-profit organization in B.C. They may be facing a much lower standard than someone covered under FIPPA.

E. Denham: Starting with your last comment, I think what's really, really important is…. I think it was the first recommendation of the last committee report that wanted an explicit statement about accountability. Even in the private sector it needs to be explicit that the primary organization is accountable and responsible for the work that's done on their behalf. A really strong accountability statement that mirrors the accountability statement in PIPEDA is important for this act.

I found your comments really interesting. I need to look at them in the context of clarity around custody and control of information by a public body when they're contracting with a private sector agency.

I think it's really, really important that the primary organization and the law that they're accountable to, that they have to comply with, is clear, because the public sector standards are higher. That's really important. You know that we've got into all kinds of discussions around subsidiary corporations of universities and their need to be caught by the public sector act, so this is a really complex area.

Your first comment was around breaches. I will get back to you about my thoughts on that, because it's quite a broad question and statement, as you know.

Do we know about breaches that have been sort of swept under the carpet and not voluntarily reported to our office and where affected individuals have not been told that their information is disclosed? My answer to that is yes. Quite often the way we insert ourselves into breach monitoring is when we read about something in the paper or we get a brown envelope from an employee who should be protected under the whistle-blower provisions in the act. We do hear about things.

It's really hard, if you're a fairly large organization, to hide a data security breach. I mean, someone's going to leak it. When I phone, I get the sheepish CEO on the line. "Oh, the commissioner's calling. I guess she found out about our breach." I always say, "You know what? I don't really like to read these things in the newspaper. Give us a call. It's good. We can help. And you can tell the public that you've reported it to our office and you've got a regulator involved in monitoring this." It's still a mystery to me why they don't want to call us.

I think that one of the things you need to look at in the framework of mandatory breach notification is penalties for failure to report significant breaches. I think you need to get into some penalties there.

Your question about how we're going to balance that with really small organizations versus large organizations — again, I'm live to that issue. I don't want this framework to penalize small players, but a lot of small players don't have a lot of lot of personal information either, except those microcompanies that are developing apps. We'll get to that. We're looking at that. We're very sensitive to putting penalties or large costs on small organizations that are trying to do the right thing.

D. Routley: Just a quick note of disclosure, in a way. The commissioner points to the opportunity for her office to actually help organizations and that there's maybe a resistance to engaging for fear of reputational loss or consequences. I'd have to say that our own party has experienced that particular situation when it came to the collection of social media passwords.

There's obviously a reluctance to engage because of the potential difficulty, not necessarily in exposing, because it's already out there, but in bringing more and more attention to something, whereas the Tylenol case and other cases point to the positive outcomes when organizations are proactive in dealing with these problems.

You know, dealing with our organization…. We try to be clear when we're acting as teacher, when we're acting as adviser and when we're into an enforcement activity. I think for breaches, right now we're really generous with our advice and teaching and our ability to help and not to penalize. But it's organizations that don't tell us or resist — that's when we're going to launch an investigation.
[ Page 31 ]

But I agree: we have to be really clear on that. We've been fair. We've investigated both major parties in this province for privacy issues, not just the NDP.

Obviously, I really appreciate all the questions, as well, because it looks like it's something that we could have gone on with quite a bit longer.

I really appreciate your time, Elizabeth and Michael. Thank you for coming in today and answering some of these questions, with the briefing note that you gave us, as well, which we can read a bit more in detail. I know there are going to be further submissions, further discussions that we're going to have with you as we go forward.

As a committee, I know we're really looking forward to taking on this task. One advantage as Chair, I know, choosing to go last with questions, is most of my questions were answered. I had a few, but I'll save those for a later date.

Hansard Services publishes transcripts both in print and on the Internet.
Chamber debates are broadcast on television and webcast on the Internet.
Question Period podcasts are available on the Internet.

Chair:	* Mike Bernier (Peace River South BC Liberal)
Deputy Chair:	* George Heyman (Vancouver-Fairview NDP)
Members:	* Donna Barnett (Cariboo-Chilcotin BC Liberal)
	* Dr. Doug Bing (Maple Ridge–Pitt Meadows BC Liberal)
	Simon Gibson (Abbotsford-Mission BC Liberal)
	Sue Hammell (Surrey–Green Timbers NDP)
	* Marvin Hunt (Surrey-Panorama BC Liberal)
	* Doug Routley (Nanaimo–North Cowichan NDP)
	* denotes member present
Clerk:	Susan Sourial
Committee Staff:	Byron Plant (Committee Research Analyst)

Witnesses:	Elizabeth Denham (Information and Privacy Commissioner)
	Michael McEvoy (Deputy Information and Privacy Commissioner)

REPORT OF PROCEEDINGS(Hansard)

SPECIAL COMMITTEE TO REVIEW THE PERSONAL INFORMATION PROTECTION ACT

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE PERSONAL INFORMATION PROTECTION ACT