My weekly Law Bytes column (Toronto Star version, homepage version) examines the PIPEDA review which begins today. Representatives from Industry Canada will lead off, followed over the next week by privacy experts and the Privacy Commissioner of Canada. With the hearings expected to extend into mid-December, I argue that it is likely that the committee will repeatedly hear that the law has failed to provide Canadians with the privacy protection they expect and that significant reform is desperately needed.
Over the past five years, Canadian privacy law has enjoyed some noteworthy successes. The federal privacy commissioner has released more than 350 findings in response to Canadians' complaints and many organizations have created privacy policies to better inform the public about the collection, use, and disclosure of their personal information. The good news has been overshadowed, however, by Canadians' mounting concern with the protection of their privacy. Identity theft has emerged as a major criminal activity, spam and phishing show no sign of abating, cross-border transfers of personal information have generated heated debated in the House of Commons, and even the federal privacy commissioner has found herself victimized by "pre-texters," who use impersonation techniques to capture personal information.
Although addressing these issues will require more than just PIPEDA reform, the federal privacy law is a good place to start. I point to at least four major changes that would go a long way to addressing the shortcomings in the current law:
- the law should include a mandatory security breach disclosure requirement
- the law should be amended to provide the federal privacy commissioner with order-making power
- the law should remove any lingering doubt about the power of the federal privacy commissioner to regularly name names in well-founded findings
- Ottawa must begin to address the growing concern in Canada over the outsourcing of personal information to non-Canadian organizations, particularly data flows to the United States
I conclude that with privacy breaches and identity theft concerns popping up regularly, Canadians can ill-afford to wait another five years for meaningful privacy protections. While few observers expect privacy law reform to emerge as a top legislative priority, the PIPEDA review presents an excellent opportunity to build the foundation for future change.