A range of critics, including the office of Canada's privacy commissioner, is urging the Conservative government to change its digital privacy bill, warning it will open the door to private companies swapping personal information of clients and others without any consent or notification.
Bill S-4 is aimed at overhauling the rules for online privacy, giving new power to the Privacy Commissioner and introducing new penalties for privacy breaches. Parts of it have broad support, and it is one of a handful of new bills before Parliament with implications over how Canadians' private online information can be handled and shared.
In Senate testimony, however, experts have broadly opposed a provision in the bill allowing private companies to voluntarily share data between them – without telling those people or the commissioner whose personal information is being swapped – to investigate whether a law or "agreement," such as a contract, has been broken.
Experts fear that will open the floodgate to warrantless data-sharing with only a nominal threshold to justify it.
The change "could lead to excessive disclosures that would be invisible both to the individuals concerned and to our office," Patricia Kosseim, the privacy commissioner's senior general counsel and director general, said to a Senate committee Wednesday evening, urging government to reconsider the amendment. Ms. Kosseim spoke to the committee in the absence of a commissioner; Daniel Therrien was approved as Canada's next commissioner in a vote the next day.
Michael Geist, the Canada Research Chair of Internet and E-commerce Law at the University of Ottawa, echoed the call to do away with that part of the bill. "The provision opening the door to massive expansion of warrantless non-notified voluntary disclosures should be removed from the bill," he said.
In other testimony, John Lawford of the non-profit Public Interest Advocacy Centre said the bill's data-sharing provision could conceivably lead to companies issuing blanket requests for data from another company. "That's fishing and it's completely unprecedented," Mr. Lawford said.
The Marketing Research and Intelligence Association also criticized the data-sharing proposal, with Annie Pettit, the association's chair of publications, telling the committee such sharing should require legal oversight, such as a court order.
Government officials have said there's no evidence that company-to-company data sharing is occurring in other jurisdictions where laws allow it, and Industry Minister James Moore, who is leading the government's push to pass the bill, has said companies must follow rules on disclosure.
"These rules ensure that information is only released when there is a reason to believe the law has been broken, the investigation would be compromised by notifying the individual and that only information needed in the investigation is released. If a company breaks these rules, the privacy commissioner can take legal action," he said in a statement on his website. In response, the privacy commissioner's office said it simply won't know about many of the cases, while Mr. Geist said it was hard for someone to take legal action without knowing a disclosure took place.
Mr. Geist supported other parts of the bill. Those include clarification about what companies need to do to get consent online – such as through terms-of-use agreements – from people, particularly children. "Consent is meaningless if the person doesn't understand to what they are consenting," he said. He supports a provision allowing the commissioner to essentially "name and shame" companies who breach privacy, and the bill's proposed expanded timeline for a commissioner to take a company to court in the case of a complaint.
However, he criticized the data sharing provision, and called for government to require companies to disclose more breaches to the commissioner – currently, the bill only requires disclosure in cases where there is a "real risk of significant harm." He said that will lead to "significant underreporting of [privacy] breaches" and called for a lower threshold.
Mr. Geist also called on government to give the commissioner more powers, including applying cash penalties.
He cited a "glaring omission" in the bill – no mention of the warrantless disclosures, such as those from telecommunications companies to law enforcement. "In my view, this creates victims of us all – disclosure of our personal information often without our awareness or explicit consent," he said. He said law should require organizations to publicly disclose the number of disclosures they make, each quarter, as well as requiring companies to notify people whose information has been handed out, expect if it would affect an active investigation.
Wally Hill, a senior official with the Canadian Marketing Association, said the bill's requirement that companies keep records of all data breaches indefinitely is too broad. "We believe the legislation should be amended to clarify the scope," he said, suggesting it be kept for two years.
Mr. Moore spoke to the committee last week, saying the bill was produced with more consultation than previous versions, C-12 and C-29. He noted the interim privacy commissioner applauded parts of the bill shortly after its tabling.
"The way in which we've brought this forward after having consulted, I think, more effectively is something that's been well received," Mr. Moore told senators considering the bill. "…What we're trying to do is put in place an accountability system for organizations so they take care of information, so that they're careful."
In the end, Mr. Moore said users have some responsibility to know what they're consenting to online. "Be careful what you click," Mr. Moore told senators.
Bill S-4 is currently before the Senate and has yet to go through the House of Commons, and won't become law before fall.