The Standing Committee on Access to Information, Privacy, and Ethics yesterday released its much-anticipated (by the privacy community at least) PIPEDA report [pdf]. Canada's private sector privacy law mandates a review of the statute every five years. This report is the first report on the law and it draws from several months of hearings that featured 67 witnesses. The committee report makes 25 recommendations, yet those expecting an upgrade to Canadian privacy legislation will be deeply disappointed. Most of the recommendations involve relatively small changes that make the federal law more consistent with the provincial laws in Alberta and B.C. (ie. a change in the business contact information provision that will severely hamper the ability to use PIPEDA to challenge spam) or seek to clarify the current wording (ie. clarification of different forms of consent).
On the big issues of the day, the committee generally recommended no change. In particular, the committee recommended no order making power, no naming names, and no additional provisions related to transborder data flows. The committee does recommend the creation of a breach notification provision, but stops short of matching U.S. style provisions by recommending that the notification go first to the Privacy Commissioner who would then determine whether individuals should be notified. The one exception to this generally dismal outcome is that the committee recommended the removal of Section 7(1)(e), which allows organizations to collect and use personal information on national security grounds. The Conservative MPs on the committee issued a dissenting opinion on this provision and it stands no chance of being implemented by the current government.
What to take away from the report?