CIPPIC Testimony on Digital Privacy Bill: Some improvements, many flaws, and lots of unfinished business
Bill S-4, the Digital Privacy bill, introduces amendments to PIPEDA, Canada's federal commercial sector privacy law. The Bill, a result of PIPEDA's first five year review conducted in 2006, introduces some far overdue improvements to Canada's privacy protection toolset at a time when privacy has never faced greater challenges. These include the adoption of a breach notification regime which would obligate companies to notify customers (as well as the Privacy Commissioner) whenever a privacy breach can place affected individuals at risk of significant harm, and the adoption of more robust consent obligations. However, as CIPPIC pointed out in its testimony and response to follow-up questions, the framework adopted by Bill S-4 in addressing these issues is flawed. The data breach notification regime in particular will fail to instill incentives for better security safeguards as it only applies to breaches that pose a significant threat of harm to affected individuals. Yet the reality of security breaches is that it will often be highly uncertain whether data was even exposed, meaning many serious breaches will go unreported. Moreover, even trivial breaches that do not pose a specific risk to individuals are often indicative of a general laxity in technical safeguards. These too will remain unreported.
Of greater concern, the Bill also includes a number of troubling exceptions that would expand the conditions under which organizations can hand over sensitive customer information to third parties. One exception would allow ISPs, online blogging discussion fora, social media sites and others to help companies trying to sue their customers by handing over sensitive customer information. It also allows for nigh unlimited information-sharing in the context of a cybersecurity breach. Such breaches often implicate immense amounts of sensitive data. The PIPEDA amendments fail to impose any obligations for companies dealing with a breach to minimize privacy impact when handing over these data troves. Additionally, our national security agencies are increasingly implicated in domestic security breaches, yet Bill S-4 does nothing to prevent them from repurposing the data troves they receive for security breaches into general security information and keeping it indefinitely. As such, there is serious concern that the emails, financial/banking information, health data, and other sensitive information that is commonly implicated in data breaches will simply be rolled in to these security agencies general profiling activities and ultimately used against the individuals who the data breach notification regimes is supposed to protect. Indeed, Bill C-51, currently being rushed through both houses of parliament at once, will make it even easier by removing barriers to 'all of government' information sharing for cybersecurity purposes.
Response to INDU Follow-Up Questions Regarding Bill S-4 [PDF]