Given the delay between parliamentary committee hearings and the release of transcripts, several of my research students have graciously agreed to sit in on the hearings and take notes. Yesterday's hearings featured four representatives from Industry Canada who were asked to provide a "PIPEDA 101" review. From the notes, it is clear that many committees members expected more, as several requests for recommended amendments were refused with the Industry Canada representatives deferring to the Minister. While it is not clear that Industry Minister Maxime Bernier expected to appear at these hearings, the Committee Chair indicated that he would be called.
The hearings also provided an update in the Quebec constitutional challenge to PIPEDA. The most recent development is apparently Quebec's filing of an affidavit in July 2006, so the case is still alive. Some committee members expressed surprise at the fact that the case has been outstanding for three years.
The key comments and questions, thanks to Natalie Senst, are posted below:
After providing a review of the core provisions of PIPEDA, the representatives commented:
Modifications to original 2001 law
- Mostly public safety requirements (post 911)
- Public servants protection act (see fed accountability act before parliament)
- Privacy community (& support from bus community) believes that the act is working quite well
- IT Association of Cda confirms this
- Generally – act is good, some will advocate for stronger powers of the privacy commissioner
Some issues
- Re state of privacy in Canada (not just PIPEDA)
- Role & powers of privacy commissioner
- Transporter data flows (international dimensions to the nature of privacy)
- Offshoring
- Tech & definitional issues
- Suggestions from CBA
- Employee/er relationship in relation to personal info
- Diff from commercial marketplace
- Calls to remove protection for employee email/fax
- M&A:
- Need for flexibility re due diligence
- Definition of "work product" as distinct from "personal info"
Bottom line:
- Testimonials on privacy regime in Canada are positive
- G&M article few wks back – study by Privacy International
- Ranked Cda & Germany as the best grades for privacy protection
- Last quote: by "Ray Protti" – former head of CSIS (committee liked this positive assurance that Canada’s privacy protection was good)
QUESTIONS
Mr. Tom Wappel (CHAIR) (Liberal):
Q. 5 yrs of talks w/stakeholders now. What is the department’s opinion??? Any recommendations for the committee? (agreement with stakeholders on any areas?)
A. Operationalization has taken a long time. Health since only 2004. Looking to committee for public consultation (then to bring amendments later). Seeking guidance & advice from committee
Mr Pat Martin (NDP):
Q. Is there a duty to notify individuals of a breach (high profile breaches by corporations – VISA used as example)? There seems to be an obligation to inform individuals of breaches of personal info that occur – do you recommend this duty? Would non-notification of a breach be something that could be complained to the privacy commissioner about?
A. Privacy commissioner: deemed to have no power to name names & enforce a duty. An individual probably can complain right now (if reason to believe personal info accessed by another w/out knowledge/consent). See 10 principles of CSA code (requires organizations to take proper steps to secure personal info in their hands – negligence is not ok). US states: have adopted duties to notify (state by state basis). CDA: No duty to notify everyone in a PUBLIC forum.
Mr David Tilson (Conservative):
Q. Asking industry for advice. List of recommended amendments for committee to recommend to parliament.
A. Not authorized to give amendment recommendations. Must ask the Minister.
Q. Does the office have sufficient resources to handle what its supposed to do?. Lots of spending on consultants
A. Never enough $.
Q. Investigations/audits by office of privacy commissioner. Should the office of PC be quasi-judicial? Adequate authority? Relation of Industry with the office of PC.
A. Already quasi-judicial. Relation – we are policy, deal with regulatory issues. Close work with governor council's responsibilities. Policy for considering laws as substantially similar. Work closely on international issues (OECD active). Not norms for privacy protection, but areas for cooperation of cross-border privacy laws
Mr James Peterson (Liberal):
Q. Any argument that the privacy commissioner should not have order-making powers?
A. Go to privacy commissioner herself.
Mr Mike Wallace (Conservative)
Q. This is a required review – not so political. Would it have been better to hear from minister first, or to get permission for these witnesses to make recommendations. July 2006 report: not the role of privacy commissioner to draft proposals for PIPEDA
A. Asked to provide an overview of the bill (PIPEDA 101). If recommendation asked for, would have sought the "ok", or sent in the minister
Q. What amendments are likely to be proposed
A. See witness statements
Q. 4 provinces with own version. Aree there things the provincess do better? Badly? Definition in BC model? Good/bad/better?
A. Provincial privacy acts (except Que) came after fed law. ssues like work product issue (differ). Prov privacy commissioners are excellent people to discuss privacy protection in general & regime for privacy protection in Cda generally. Review of similarities & differences (Chair notes that all privacy commissioners were invited to appear – 3 declined, BC will be here).
Ms Marlene Jennings (Liberal)
Q. Issue of consent. Shared with divisions & 3rd parties. Study at UofO: problem re express/implied – what type is required in order to share with 3rd parties (not all companies have put into place a protocol & if so, not always accessible to consumer)
A. Re study at UofO – hair-raising indeed. Study also points to awareness of orgs of their responsibility (prov or fed). Edu component – to be addressed by privacy commissioner.