The Canadian Government’s Embarrassing Opposition to Security Breach Disclosure Legislation

Last week, the Privacy Commissioner of Canada released her vision of privacy reform,
including the need for security breach disclosure legislation,
order-making power, and greater transparency of warrantless disclosure.
On the same day as Commissioner Stoddart released her position paper,
the government was embarrassing itself in the House of Commons by
formally opposing security breach disclosure legislation on the weakest
of grounds. The opposition to meaningful privacy reform is particularly
discouraging given the thousands of breaches
that have occurred in recent years from within the government itself
and its claims to be concerned with the privacy of Canadians.

The government introduced legislation featuring security breach disclosure requirements in Bill C-12 in September 2011 (itself a reintroduction of the former C-29
that was first introduced in 2010).  Since first reading, the bill has
not moved. It would take very little for the government to complete
second reading and send the bill for study to committee, yet more than a
year and a half later, the bill languishes, certain to die this summer
when the government hits the parliamentary reset button. Frustrated by
the inexplicable delays, NDP MP Charmaine Borg introduced a private
member’s bill in February (C-475) that includes a mandatory security breach requirement roughly similar to the government’s own bill. 

Both bills include notification requirements to the Privacy
Commissioner of Canada in the even of certain security breaches. A
comparison of the two bills is posted below:

Bill C-12 (Government Bill)
Bill C-475 (MP Borg Private Member Bill)
(1) An organization shall report to the
Commissioner any material breach of security safeguards
involving personal information under its control.
(2) An organization having personal
information under its control shall notify the Commissioner
of any incident involving the loss or disclosure of, or
unauthorized access to, personal information, where a
reasonable person would conclude that there exists a
possible risk of harm to an individual as a result of the
loss or disclosure or unauthorized access.
(2) The factors that are relevant to
determining whether a breach of security safeguards is
material include
(a) the sensitivity of the personal information;
(b) the number of individuals whose personal information was
involved; and
(c) an assessment by the organization that the cause of the
breach or a pattern of breaches indicates a systemic
(3) The factors that are relevant in
determining whether a loss or disclosure of, or unauthorized
access to, personal information would be considered by a
reasonable person as creating a risk of harm are
(a) the sensitivity of the personal information; and
(b) the number of individuals whose personal information was

Both bills follow the notification to the Commissioner with a
potential notification to individuals who may be affected by the
breach.  Notwithstanding the similarities, government MPs used
debate in the House of commons last week to mischaracterize
C-475.  Conservative MP Parm Gill stated:

I wish to point out that the data breach notification regime
proposed in Bill C-475 takes a starkly different approach than
that in Bill C-12. Bill C-475 requires organizations to first
notify the Privacy Commissioner of every potential data breach,
regardless of context or remoteness. The Privacy Commissioner must
then determine whether affected individuals should be notified.
Given the potential number of breaches that could be reported,
such a regime would increase costs and burdensome compliance
procedures for Canadian businesses and would impose an unwieldy
financial and administrative burden on the Office of the Privacy
Commissioner, generating more costs than benefits for taxpayers.

As the table notes, the claim that there is a required notification
of every breach in C-475 regardless of context or remoteness is
simply false. Gill also wrongly claimed that C-475 would not capture
breaches only affecting a few individuals and that the bill does not
define “appreciable risk of harm.”  In fact, both C-12 and
C-475 use roughly the same definition of harm.  The
inaccuracies continue as Gill claims that C-475 creates
uncertainties on the form of notification, yet it follows much the
same approach as C-12. After Gill’s inaccuracies, MP Mike Lake picks
up the torch, making many of the same claims and then noting that
C-12 addresses a broader range of PIPEDA reforms.  That is an
unfair comparison, given that C-475 only tries to address a narrow
range of issues and only comes after the government sat on its own
bill for a year and a half (other than a single
for unanimous consent to send the bill to committee).

While the government would have the public believe that its bill is
preferable to Borg’s, the real message here is clear: the government
isn’t serious about privacy reform and would rather mischaracterize
efforts to get long overdue reforms moving as opposed to
prioritizing its own bill that has not been allocated any time for
debate since its introduction in September 2011.

via Michael Geist Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: