The Standing Committee on Access to Information, Privacy, and Ethics yesterday released its much-anticipated (by the privacy community at least) PIPEDA report [pdf]. Canada's private sector privacy law mandates a review of the statute every five years. This report is the first report on the law and it draws from several months of hearings that featured 67 witnesses. The committee report makes 25 recommendations, yet those expecting an upgrade to Canadian privacy legislation will be deeply disappointed. Most of the recommendations involve relatively small changes that make the federal law more consistent with the provincial laws in Alberta and B.C. (ie. a change in the business contact information provision that will severely hamper the ability to use PIPEDA to challenge spam) or seek to clarify the current wording (ie. clarification of different forms of consent).
On the big issues of the day, the committee generally recommended no change. In particular, the committee recommended no order making power, no naming names, and no additional provisions related to transborder data flows. The committee does recommend the creation of a breach notification provision, but stops short of matching U.S. style provisions by recommending that the notification go first to the Privacy Commissioner who would then determine whether individuals should be notified. The one exception to this generally dismal outcome is that the committee recommended the removal of Section 7(1)(e), which allows organizations to collect and use personal information on national security grounds. The Conservative MPs on the committee issued a dissenting opinion on this provision and it stands no chance of being implemented by the current government.
What to take away from the report?
I suspect the privacy community will be very disappointed with the tepid recommendations for change. I would candidly argue that some of the responsibility for the lack of urgency does not lie with committee members – they were grappling with multiple points of view – but rather with the two privacy commissioners who appeared before the committee (Federal Commissioner Jennifer Stoddart and B.C. Commissioner David Loukidelis). The report repeatedly refers to their opinions on all the big issues and heed their advice to make no major changes.
It is also interesting to see a shift toward provincial privacy leadership. While PIPEDA creates a privacy framework that requires the provincial laws to be "substantially similar" to the federal statute, this report moves us in the opposite direction by recommending reforms that would make the federal law substantially similar to its provincial counterparts.
Finally, it seems to me that we are a long way from seeing serious privacy law reform in Canada. The public sector privacy law has been waiting decades for reform with no sign of change and this first attempt at private sector reform suggests that the wait on PIPEDA may be just as long. With strong business opposition to reform, opposition to the law itself from the Bloc (which issued its own dissent to remind everyone that it opposes the law), and privacy commissioners facing pressures to moderate their public position on reform, I fear that it is going to be years before Canadian privacy law changes in any significant way.