|
Thursday May 23, 2013 |
Privacy Commissioner of Canada Jennifer Stoddart this morning set out her office's goals for PIPEDA reform.
The last attempt to reform the private sector privacy law stalled in
the House of Commons with Bill C-12 still technically alive (having been sitting at
second reading for months) but destined to die once the government hits
the legislative reset button in the summer. The five-year mandatory
review of PIPEDA is now years behind schedule, so Stoddart's attempt to
kick-start the process is a welcome development.
The PIPEDA report focuses on four areas of reform: stronger enforcement
powers, mandatory security breach disclosure, increased transparency on
personal information disclosures, and heightened accountability. In
particular, the OPC is calling for:
- Reform PIPEDA to provide for stronger enforcement powers. These
could include statutory damages (administered by the Federal Court); or
giving the Commissioner the power to make orders; or affording the
Commissioner with the power to impose administrative monetary penalties;
or a combination of the above;
- Require organizations to report breaches of personal
information to the Commissioner and to notify affected individuals,
where warranted, so that appropriate mitigating measures can be taken in
a timely manner;
- Require organizations to publicly report on the number of
disclosures they make to law enforcement under paragraph 7(3)(c.1),
without knowledge or consent, and without judicial warrant, in order to
shed light on the frequency and use of this extraordinary exception; and
- Modify the accountability principle in Schedule 1 to include a
requirement for organizations to demonstrate accountability upon
request; to incorporate the concept of “enforceable agreements”; and to
make certain accountability provisions subject to review by the Federal
Court.
The report is a great start, but will require leadership from the Minister of Industry that has to date been absent.pipeda, privacy Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareThursday May 23, 2013 |
|
|
Tuesday April 23, 2013 |
|
The Standing Committee on Access to Information, Privacy, and Ethics has released its study on privacy and social media.
The report includes recommendations for new Privacy Commissioner
guidelines. The NDP supplemented those recommendations with nine
additional legislative proposals that include mandatory security breach
disclosure, order making power for the Privacy Commissioner of Canada,
and the inclusion of privacy issues as part of a national digital
economy strategy.ethi, pipeda, privacy, social media Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareTuesday April 23, 2013 |
|
|
Wednesday February 27, 2013 |
|
As reports of yet another government security breach emerge, NDP MP Charmaine Borg has at least tried to kickstart the government's dormant private sector privacy reform efforts with a private member's bill
that would add mandatory security breach disclosure requirements to the
law along with new order making power. The government's own privacy
reform bill - Bill C-12 - has languished for years with no real effort
by Industry Minister Christian Paradis to move it forward. Moreover, the
bill has some serious faults, with no penalties for security breach, no
update to the Privacy Commissioner's powers, and provisions that make
organizations more likely to disclose personal information without
warrant during an investigation.
Bill C-475 is a far better proposal with amendments
to PIPEDA with more clear cut security breach disclosure requirements
along with order making power that is backed by significant penalties
for compliance failures. Those provisions would do far to ensure greater
respect for Canadian privacy law and give Canadians the assurance of
notifications in the event of security breaches. What the bill does not
do, however, is address the other side of the privacy coin, namely the
failure of government to hold itself accountable for the personal
information it collects and now regularly seems to fail to safeguard. borg, c-12, pipeda, privacy, security breach Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareWednesday February 27, 2013 |
|
|
Tuesday January 15, 2013 |
Appeared in the Toronto Star on January 13, 2013 as Government Caves to Lobbying Pressure on Anti-Spam Law
Canada's anti-spam legislation was back in the news last week as the
government unveiled revised regulations that may allow for the law to
finally take effect next year. Canada is one of the only developed
economies in the world without an anti-spam law and lengthy delays have
created considerable uncertainty.
Calls for Canadian anti-spam legislation date back to 2005, when a
national task force recommended enacting laws to target spam, spyware,
and other online harms (I was a member of the task force). The
government passed the anti-spam law in December 2010, with many
expecting a quick introduction of the accompanying regulations that
would allow the law to take effect. After business groups criticized
draft regulations released in June 2011, however, the government hit the
pause button, leaving the law in limbo.
Critics used the delay to spread fear about "job losses" and "regulatory
red tape", yet the reality is that the battle over the anti-spam battle
boils down largely to a single issue: whether businesses should be
required to obtain explicit, opt-in consumer consent before sending
electronic commercial messages. The law says they should and much of the
intense lobbying for new exceptions is premised on avoiding this
requirement.
The new law unquestionably sets a high bar for consent. It envisions a
marketing framework where consumers reassert some measure of control
over their email in-boxes by opting-in to commercial messages, rather
than being required to opt-out. Moreover, the law establishes email
form requirements to simplify opting-out of future messages should
consumers change their minds and backs the new framework with stiff
penalties for violations the law.
While an opt-in consent system should be relatively uncontroversial -
businesses benefit by sending messages to consumers who clearly want to
receive them - the vociferous criticism makes it plain that many
marketing organizations fear that if Canadians are asked directly for
their email marketing consent, many will decline.
Given those fears, Industry Minister Christian Paradis faced
considerable lobbying pressure to water down the law through the
regulatory process. Earlier this month, he caved to some demands by
introducing a host of new exceptions that limit the effectiveness of the
opt-in model.
For example, the regulations include a broad new exception for third
party referrals that will allow businesses to send commercial electronic
messages without consent based merely on a referral from a third party.
This issue was hotly debated when the law was being drafted and, at the
time, the government rejected claims that such an exception was
warranted.
The new regulations also include an expansive definition for a "personal
relationships" exception that is likely to be used by organizations to
send unsolicited commercial messages based on limited contact. The
flexible definition of personal relationship may open the door to claims
that Facebook "likes" or similar social media contact is sufficient to
constitute a personal relationship.
Industry groups had asked the government to pre-approve existing
consents obtained under PIPEDA, the private sector privacy law, arguing
that obtaining new consumer consents will be disruptive. The government
rightly rejected those requests, however, since the PIPEDA consents
will often have been implied from consumer activity and not based on an
actual, informed consent.
Those businesses concerned by the new consent standards may find comfort
in the assurance that some requirements are unlikely to take effect
until 2017. The law features a lengthy transition period that will
allow businesses to rely on their existing consents for three years
after the legislation takes effect. Assuming the regulations are
finalized in 2013 and the law becomes operational in 2014, businesses
will have been given seven years to ask Canadian consumers if they
consent to the use of their personal information for marketing purposes.
Michael Geist holds the Canada Research Chair in Internet and
E-commerce Law at the University of Ottawa, Faculty of Law. He can
reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.
pipeda, privacy, spam Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareTuesday January 15, 2013 |
|
|
