Parliamentary Committee Recommends Breach Notification, Other Changes to Canada's Privacy Laws

A House of Commons committee has recommended that Canadian businesses should notify their customers of data breaches. The Standing Committee on Access to Information, Privacy and Ethics (Committee) tabled its review of the Personal Information Protection and Electronic Documents Act (PIPEDA) on May 2, having heard dozens of witnesses give testimony over a period of several months. The Committee recommended that PIPEDA be amended to include mandatory breach notification, requiring organizations in possession of personal information to report breaches to the federal Privacy Commissioner. The Committee stated that consideration should also be given to questions of timing and manner of notification, penalties for failure to notify, and the need for a "without consent" power to notify credit bureaus in order to assist in protecting consumers from identity theft and fraud. The Committee also recommended that changes be made to the consent provisions of PIPEDA, including a clarification of consent by minors to the collection, use and disclosure of their personal information. The US Children's Online Privacy Protection Act requires that organizations that collect personal information from children under the age of 13 must obtain verifiable parental consent. Canada has no similar provision, and the definition of "minor" varies widely from province to province. Perhaps just as important were the Committee's views on how PIPEDA should not be amended. Unlike some of her provincial counterparts, the federal Privacy Commissioner does not have binding, order-making authority. Some legal observers felt this was a flaw in the legislation. Some Committee witnesses had also criticized the Privacy Commissioner for failure to publicly identify organizations that she found had contravened the law. However, the Commissioner herself testified that she did not want additional order-making authority. Her office has recently adopted a policy of asking the Federal Court to enforce any of the Commissioner's recommendations an organization chooses to ignore. Such an application would both publicly identify the reticent organization and subject it to the binding authority of the Court. While it remains to be seen whether this will placate her critics, the Committee agreed with the Privacy Commissioner's request and recommended that she should not be granted additional order-making powers; and, that her discretionary power to publicly name organizations in the public interest remain unchanged. In the wake of national and international concerns about the ability of US federal law enforcement to gain surreptitious access to the personal information of foreign nationals processed in the United States or by US-linked organizations outside that country under the USA PATRIOT Act, various provincial governments and federal ministries have taken steps to limit transborder flows of personal information. However, the Committee recommended that no additional amendments be made to PIPEDA with respect to restricting the transborder flow of personal information. To review all of the Committee's recommendations, see the Statutory Review of the Personal Information Protection and Electronic Documents Act. For the Guide to the US Children's Online Privacy Protection Act, follow this link. And follow the link for an article on role of Privacy Commissioner to initiate hearings before the Federal Court. Summary by: Jason Young