When the Canadian government enacted private sector privacy legislation – known as the Personal Information Protection and Electronic Documents Act (PIPEDA) – it included an important provision mandating a parliamentary review of the law every five years.
Later today, the Standing Committee on Access to Information, Ethics, and Privacy, which is chaired by Scarborough MP Tom Wappel, will hold the first of several PIPEDA review hearings. Representatives from Industry Canada will lead off, followed over the next week by privacy experts and the Privacy Commissioner of Canada. With the hearings expected to extend into mid-December, it is likely that the committee will repeatedly hear that the law has failed to provide Canadians with the privacy protection they expect and that significant reform is desperately needed.
Over the past five years, Canadian privacy law has enjoyed some noteworthy successes. The federal privacy commissioner has released more than 350 findings in response to Canadians' complaints and many organizations have created privacy policies to better inform the public about the collection, use, and disclosure of their personal information.
The good news has been overshadowed, however, by Canadians' mounting concern with the protection of their privacy. Identity theft has emerged as a major criminal activity, spam and phishing show no sign of abating, cross-border transfers of personal information have generated heated debated in the House of Commons, and even the federal privacy commissioner has found herself victimized by "pre-texters," who use impersonation techniques to capture personal information.
Although addressing these issues will require more than just PIPEDA reform, the federal privacy law is a good place to start. There are at least four major changes that would go a long way to addressing the shortcomings in the current law.
First, the law should include a mandatory security breach disclosure requirement. Dozens of U.S. states have enacted such legislation, which mandates the disclosure of security breaches to individuals whose personal information has been placed at risk.
The legislation provides individuals with the notice they need to mitigate the potential damage from identity theft, while simultaneously creating incentives for organizational privacy and security compliance. The approach has generated intense interest from U.S. companies, who fear the reputational harm that may arise if they fail to adequately protect their customers' personal information.
Second, the law should be amended to provide the federal privacy commissioner with order-making power. Under the current statute, the commissioner addresses privacy complaints by issuing non-binding findings. These findings are a source of enormous frustration for complainants, who frequently learn to their dismay that months after their privacy rights have been violated, they receive nothing more than a letter confirming the violation and advising that they are entitled to take their case to the federal court if they are dissatisfied with the outcome of their complaint.
By adding order making power to the federal privacy commissioner's arsenal (most provincial privacy commissioners already have order making power), complaints could lead to fines, penalties, or mandatory reporting requirements. This change might help reverse the disappointing levels of corporate compliance with the law, which stem in part from the general consensus that the privacy commissioner simply does not wield sufficient power to incentivize full compliance.
Third, in stark contrast to other privacy authorities in Canada and around the world, the federal privacy commissioner does not believe that the current law provides her with the power to regularly identify those organizations that have been subject to well-founded privacy complaints.
As a result, Canadian organizations enjoy the benefits of anonymity, even when they violate the law. This too reduces corporate compliance and adversely impacts Canadians’ ability to pro-actively protect their own privacy. While many believe that the privacy commissioner could interpret the law more aggressively by naming names, additional clarification may be needed to remove any lingering doubts.
Fourth, Ottawa must begin to address the growing concern in Canada over the outsourcing of personal information to non-Canadian organizations, particularly data flows to the United States. The result of such outsourcing is that Canadians' personal information is potentially subject to secret disclosure under U.S. laws, including the USA Patriot Act.
Several provinces, including British Columbia, Quebec, and Nova Scotia, have taken steps to reduce the ability of U.S. authorities to compel secret disclosure. The federal government has yet to adopt similar statutory protections, fuelling concern that Canadian privacy law could be rendered meaningless in the face of U.S. law enforcement powers.
With privacy breaches and identity theft concerns popping up regularly, Canadians can ill-afford to wait another five years for meaningful privacy protections. While few observers expect privacy law reform to emerge as a top legislative priority, the PIPEDA review presents an excellent opportunity to build the foundation for future change.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He is a member of the Privacy Commissioner of Canada’s External Advisory Board. He can reached at firstname.lastname@example.org or online at www.michaelgeist.ca.