My weekly Law Bytes column (Toronto Star version, homepage version) examines the Standing Committee on Access to Information, Privacy and Ethics' much-anticipated report on the reform of Canada’s private sector privacy law released earlier this month. Despite hearing from 67 witnesses, the Committee followed the lead of Industry Minister Maxime Bernier and Privacy Commissioner Jennifer Stoddart – neither of whom argued forcefully for reform – by issuing a tepid report that rejects the changes that many privacy advocates believe are necessary to improve the effectiveness of the current legal framework.
Instead, the final report, which includes separate dissenting opinions from the Conservative and Bloc Quebecois MPs, features 25 recommendations that at best represent little more than tinkering with the law and at worst undermine privacy protections in several key areas, most notably the use of privacy law to counter the mounting spam problem. Most of the major issues presented to the Committee, including beefing up the Privacy Commissioner's powers, adopting a "name and shame" approach for privacy violators, and safeguarding Canadian data that is outsourced to other jurisdictions, were met with indifference, as the Committee recommended no further reforms. In fact, even a mandatory security breach notification requirement – widely expected as a response to the massive data security breaches involving retail giants Winners and Homesense – was tempered with a recommendation to require notification to the Privacy Commissioner, not necessarily to the individuals affected by the breach.
In fairness to the Committee, many of their recommendations appear to have been shaped by the inexplicably weak responses from Industry Minister Bernier (who is responsible for the legislation) and Privacy Commissioner Stoddart.