The Standing Committee on Access to Information, Privacy and Ethics issued its much-anticipated report on the reform of Canada’s private sector privacy law earlier this month. Despite hearing from 67 witnesses, the Committee followed the lead of Industry Minister Maxime Bernier and Privacy Commissioner Jennifer Stoddart – neither of whom argued forcefully for reform – by issuing a tepid report that rejects the changes that many privacy advocates believe are necessary to improve the effectiveness of the current legal framework.
Instead, the final report, which includes separate dissenting opinions from the Conservative and Bloc Quebecois Members of Parliament, features 25 recommendations that at best represent little more than tinkering with the law and at worst undermine privacy protections in several key areas, most notably the use of privacy law to counter the mounting spam problem.
Most of the major issues presented to the Committee, including beefing up the Privacy Commissioner's powers, adopting a "name and shame" approach for privacy violators, and safeguarding Canadian data that is outsourced to other jurisdictions, were met with indifference, as the Committee recommended no further reforms.
In fact, even a mandatory security breach notification requirement – widely expected as a response to the massive data security breaches involving retail giants Winners and Homesense – was tempered with a recommendation to require notification to the Privacy Commissioner, not necessarily to the individuals affected by the breach.
While the Committee was largely content to stick with the status quo, some proposed changes will actually undermine the effectiveness of the current law. For example, two years ago the National Task Force on Spam (of which I was a member) called for a new anti-spam law but recognized that there was a role to play for the current privacy statute in the spam fight. The Committee would largely eliminate that role by exempting business email addresses from the scope of the statute. If the recommendation is implemented, spammers could brazenly send spam to corporate email addresses without fear of a Canadian privacy complaint.
In fairness to the Committee, many of their recommendations appear to have been shaped by the inexplicably weak responses from Industry Minister Bernier (who is responsible for the legislation) and Privacy Commissioner Stoddart.
Officials from Industry Canada, who were the first to appear before the Committee, came completely empty handed, surprising Committee members by conceding that they had no authority to recommend reforms and could not comment on the effectiveness of specific provisions within the law. While there was some speculation that Bernier would come before the Committee, a personal appearance never materialized.
Stoddart followed soon after, but to the dismay of many in the privacy community, cautioned against major reform. When asked about the prospect for order making power to match her provincial counterparts or enhanced power to name privacy violators, she indicated that such changes were premature. Committee members concerned about the effectiveness of the current law in the face of cross-border data transfers were similarly assured that further reforms were unnecessary (despite the fact that Stoddart was recently ordered by the Federal Court of Canada to investigate a case involving a U.S. organization after refusing to even launch an investigation).
Even on the hot button issue of the day – mandatory notification of security breaches that place Canadians at risk of identity theft – the Commissioner offered only mild support. Indeed, it was the Committee, not Bernier or Stoddart, that vigorously promoted the desirability of a mandatory notification system.
In light of that testimony – combined with the fact that only one other Canadian privacy commissioner even bothered to appear before the Committee – the report is a disappointment, though not much of a surprise.
Moreover, the two dissenting opinions reinforce the challenge of gaining all-party support for privacy reform. The Conservative MPs on the Committee issued a dissenting opinion to emphasize their desire to avoid changes "that would unduly increase the compliance burden on the small business community." The Bloc Quebecois MPs went further, noting for the record their "complete disagreement with this Act." The Bloc dissent provided a powerful reminder that Quebec has launched a constitutional challenge that contests the validity of federal privacy legislation.
Scott McNealy, the CEO of Sun Microsystems, is well known for having once dismissed consumer privacy concerns by stating that "You have no privacy. Get over it." The Committee report and the dissenting opinions send a similar message to Canadians. There will be no significant privacy reform. Get over it.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He is a member of the Privacy Commissioner of Canada's External Advisory Board. He can reached at email@example.com or online at www.michaelgeist.ca.