Advance Preview of PIPEDA 2.0
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks for the Canadian Bar Association (CBA) Canadian Legal Conference and Expo
Quebec City, Quebec
August 19, 2008
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Good afternoon. I’m so pleased to have been invited to open this panel discussion. Needless to say, discussions on possible PIPEDA reforms are of enormous interest to my Office!
The privacy landscape is a constantly changing one – and our laws need to keep up. Fortunately, the architects of PIPEDA recognized this fact and included a requirement that Parliament review the section of the legislation dealing with data protection every five years.
If only we had the same provision in the Privacy Act. That Act has been left unchanged for a quarter-century and this neglect is showing – Canada’s public sector privacy law is horribly out-of-date.
I want to express my thanks to the CBA for the role you have played in advocating for legislative reforms and for your support of privacy issues in both the public and private sectors.
My Office is encouraging Canada’s next generation of lawyers to critically reflect on privacy and the law. This fall we are launching an essay contest for undergraduate law students across the country. We’re inviting them to write on privacy law and one of my Office’s four priority privacy issues: information technology and privacy, national security and privacy, identity integrity and protection or genetic privacy. Contest details – along with a number of other documents prepared by my Office – are available at our OPC kiosk in the exhibitor’s area.
Over the next few minutes I’d like to provide a bit of background on PIPEDA review and also share my perspective on a few key issues discussed during the review process.
The task of conducting a Parliamentary review of PIPEDA after its first five years fell to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, which began its work in the summer of 2006.
Committee members heard from 67 witnesses and considered 34 submissions from individual Canadians, private sector associations, privacy advocates and my Office. Those numbers suggest there’s a strong interest in privacy matters in Canada.
In May of last year, the committee presented its final report, which included 25 recommendations touching on a broad range of issues. The government’s response was tabled last fall.
Both the committee and the government agreed with us that – on the whole – PIPEDA is working well and large-scale reforms aren’t needed at this time. PIPEDA has only been fully in force since 2004 and it takes time for the full impact of complex legislation like this to unfold.
That said, some adjustments would be welcome.
Industry Canada’s public consultations focused on a handful of areas: data breach notification; the concepts of “work product” and “lawful authority”; as well as witness statements, minors’ consent and investigative bodies.
Before turning things over to the panel, I’d like to briefly share some thoughts on what we hope to see in amendments expected to be tabled in the coming few months.
The reform issue that has received the most attention is breach notification. I think this one has struck a chord with Canadians because they’ve been shocked by a string of major privacy breaches over the last couple of years.
I am a strong supporter of mandatory notification. By every measure I’ve seen, breaches are a growing problem. Despite the clear risks, we continue to see too many organizations – large and small – underestimating the need to protect personal information. This results in deficient privacy and security safeguards – and, not surprisingly, data spills.
Mandatory breach notification would help reduce the number of breaches by acting as an incentive for organizations to take privacy and security more seriously. Notification will also offer people with the information they need to take steps to protect against identity theft and other types of fraud.
It’s clear there are different perspectives on the need for mandatory reporting. In Industry Canada’s first round of public consultations, there was an even split between organizations supportive of, and opposed to, mandatory notification.
There are some very significant benefits for business. To begin with, a law will mean everyone is playing by the same rules. Another advantage is the fact we’ll all have a better picture of how breaches are occurring and organizations will be able to learn from the experiences of others.
Canada’s move towards a mandatory reporting system follows an international trend to adopt such requirements.
This panel today is going to examine Industry Canada’s draft breach notification model in some detail, but I’ll add my Office’s two cents now.
We’re generally quite happy with the approach the department is taking. In fact, the proposals are very similar to voluntary guidelines originally developed by the Information and Privacy Commissioners in B.C. and Ontario and adapted by the Alberta Commissioner and my Office. Other countries such as New Zealand have also adopted these guidelines.
However, we’d like to see lower notification triggers.
We think that a requirement that businesses notify individuals where there is a “substantial risk” of significant harm will exclude too many breaches. We’ve recommended notification of breaches that present “a risk of significant harm.”
We’ve also asked Industry Canada to specifically define the threshold for notifying my Office as cases where there is “a major loss or theft of personal information.”
Mandatory notification alone is clearly not going to put a stop to all data breaches, however, it will go some ways to better protecting the privacy of Canadians. We also believe that the notification to individuals should include contact information for our Office or our provincial counterparts.
We have also asked for changes aimed at helping ensure we continue to be an effective privacy rights guardian.
I have asked the government to consider granting my Office the ability to dismiss some complaints early as warranting no further investigation.
We are seeing lengthy delays in handling complaints. Quite frankly, our investigations are taking too long. Other data protection authorities around the world, including those in the United Kingdom, Europe, Australia and New Zealand, are also facing similar challenges with the need to deal with all complaints received regardless of the nature or the seriousness of the complaint.
Greater discretion in the handling of complaints would allow us to focus our investigative resources on privacy issues that are of a broader systemic interest.
Privacy issues have traditionally arisen through individual complaints related to an interaction between that one person and an organization. More and more often, however, we’re seeing major privacy issues arise from more systemic threats resulting from rapidly-advancing information technologies. Just think of all the issues raised by social networking sites; by Google; and by new surveillance technologies such as RFIDs.
Increasingly, data protection authorities around the world are recognizing that this is where we must direct our efforts.
Blood Tribe Decision
Finally, I would also like to say a few words about the recent Blood Tribe decision by the Supreme Court of Canada and its implications for PIPEDA reform.
The case was about my powers as Privacy Commissioner to compel production of solicitor client privileged documents to me for the purposes of reviewing them in the course of an investigation to ensure that they were indeed subject to the privilege.
The decision offers us a greater clarity with respect to solicitor-client privilege.
The Supreme Court confirmed that the right of individuals to access information about themselves in order to verify its accuracy is an essential part of the protection of privacy.
Where documents are withheld on claims of solicitor client privilege, organizations do not get a free pass – they must be held to account for those claims. There must be some independent verification.
The Supreme Court held that judges – not the Privacy Commissioner – are best placed to conduct an independent verification of solicitor client privilege claims.
At a first level, I may, short of viewing the documents themselves, use my investigative powers to compel the production of supporting evidence to establish the claim, including affidavit evidence and cross-examination of those affidavits.
Hopefully, we can count on the continuing collaboration of organizations to be forthcoming with that supporting evidence so we could resolve complaints as expeditiously as possible.
However, in those hopefully rare instances where the evidence is not provided, or I am not satisfied with the evidence, then the Supreme Court has clearly paved the way for me to proceed to Court for adjudication of the claim, either under s. 18.3(1) of the Federal Courts Act or s. 15 of PIPEDA. I will use those means if I have to.
Industry Canada has said it hopes to come out with amending legislation in the fall. We will be very interested to see the details of the amendments put forward.
Before closing, I would like to offer my gratitude to the CBA for its contribution to the PIPEDA review process. The CBA has been a very active and important participant as the government and Parliament consider PIPEDA’s future.
I am very much looking forward to listening to today’s discussion about what we can expect in PIPEDA 2.0. Thank you very much.
Report a problem or mistake on this page
- Date modified: