A review of Canada’s privacy law has resumed amid calls for more power for the Privacy Comissioner and mandatory security breach notification by Canadian enterprises.
The Standing Committee on Access to Information, Privacy, and Ethics – chaired by Tom Wappel, MP for Scarborough Southwest – began the five-year statutory review last November. It has met eight times, hearing testimony from a wide variety of stakeholders. Some of the potential changes are being met with resistance from factions who approve of the current act’s self-regulation model.
“This review is important because technology is changing at such a rapid pace and the availability of information about people is expanding at such a rapid pace that we cannot help but face what’s going on now and in the future by trying to look in the crystal ball and bring the act into the 21st Century,” said Wappel.
The committee held its first meeting of the new year on Jan. 30. The hearings are expected to continue into mid-February, after which a couple of weeks of discussion will yield the instructions that will then be given to the drafters, according to Wappel, who hopes to have a first draft of the report around the end of March or the beginning of April.
The act has been criticized for being too lax. The Privacy Commissioner is powerless to punish, critics say, and can only make recommendations. Even when a massive security breach has occurred, companies aren’t required to inform the parties whose personal information has been compromised.
“The legislation needs to have incentives to make sure companies respect the public’s privacy,” said Philippa Lawson, executive director of the Canadian Internet Policy and Public Interest Centre (CIPPIC). “The legislation’s not bad, but the main problem is there’s no way to enforce any of it.”
CIPPIC’s report to the committee calls for order-making powers to be granted to the Privacy Commissioner, which would back up its recommendations with fines. This could save complainants from being forced to take their case to the courts, and it would also make it easier for people to sue, Lawson said. “The Privacy Commissioner should be able to give binding orders that, if companies don’t comply, they can get in real trouble,” Lawson said.
Bernard Courtois, president and CEO of the Information Technology Association of Canada (ITAC), said better educating companies about PIPEDA is more important than granting the Privacy Commissioner additional powers.
“The platform of self-regulation model is proven to be efficient and effective. We’ve built privacy codes, and there’s the Privacy Commissioner to go to with questions and complaints, and you can go to the courts to enforce it,” said Courtois. “We’re not saying that compliance is perfect, but it’s education’s job, not the courtroom’s.”
CIPPIC is also advocating for additions to the act that would make it mandatory for companies to inform affected parties when their personal information has suffered a security breach. Last month, for example, the CIBC lost data on 470,000 mutual fund customers, and though it made efforts to contact those affected, it wasn’t legally obligated to do so. CIPPIC recommended that, if the information leaked was sufficiently sensitive (i.e. name, social insurance number, et cetera) and readable (i.e. unencrypted), a company would have to notify its clients.
The Canadian Bar Association (CBA) is advocating the same thing, along with more stringent definitions of what actually is personal information and what isn’t, according to Brian Bowman, chairperson of the CBA’s national privacy and access law committee and one of the CBA spokespeople at the hearings.
“If (security breach notification legislation) is brought in, it needs to be a balanced approach. Some (American) states make it so that you automatically have to inform people of any breach, although it’s not in anybody’s best interests to make it so strict,” he said. “But you don’t want it so full of holes that businesses can slip through.”
University of Ottawa Canada research chair of Internet and e-commerce law Michael Geist wants to see PIPEDA working harder – giving companies more incentive to encrypt their information, for instance – to ensure that these breaches don’t happen in the first place. He said the law must go further than encryption to include back-end issues, such as when data is collected, ways used to secure it, and who has access. “We need to think harder about why we collect information. You only suffer personal security breaches if the information is all there in the first place – it’s almost a security breach waiting to happen,” said Geist.
The Canadian Marketing Association (CMA) prefers the generality of the current act and doesn’t want security breach measures adopted into the act, since “a certain amount of interpretation needs to flow (so) it can grow with the real world,” according to vice-president of public affairs and communications Wally Hill, who also testified. “When you put something into legislation, it is, to some extent, set in stone, making it very hard to adjust and fine-tune. It is still too early to be going in and changing something that has been working so well,” he said.
The CMA, along with ITAC, is instead suggesting the creation of a set of guidelines for security breach notifications developed by the Privacy Commissioner in partnership with industry that could then be disseminated via business publications, associations, the Web and government publications. “There’s a lot of work to be done with awareness and education, especially among small and medium-sized businesses,” said Hill.