New privacy challenges demand stronger protections for Canadians
Privacy Commissioner Jennifer Stoddart issues position paper on modernizing Canada’s private sector privacy law to include stronger enforcement powers, mandatory data breach reporting provisions, and increased accountability and transparency measures
Toronto, May 23, 2013 — Canada needs a more modern privacy law – including stronger enforcement powers – to better protect the rights of Canadians in the digital age, says the Privacy Commissioner of Canada.
Commissioner Jennifer Stoddart today released a position paper which offers a roadmap for modernizing Canada’s federal private-sector privacy law so that it more effectively tackles current and future privacy issues.
“Personal information has been called the oil of the digital economy. As organizations find new ways to profit from personal information, the risks to privacy are growing exponentially,” says Commissioner Stoddart.
“It is increasingly clear that the law is not up to the task of meeting the challenges of today – and certainly not those of tomorrow.”
The Commissioner launched her Office’s new paper, called The Case for Reforming the Personal Information Protection and Electronic Documents Act (PIPEDA), at the International Association of Privacy Professionals’ 2013 Canada Privacy Symposium.
Commissioner Stoddart, who delivered a keynote address to the conference, described the dramatically different privacy landscape that existed when PIPEDA began coming into force back in 2001.
“There was no Facebook, no Twitter and no Google Street View. Phones weren’t smart. ‘The cloud’ was something that threatened picnic plans,” says Commissioner Stoddart.
“The world has changed and while my Office has had some successes in prompting companies to improve their privacy practices, improvement often comes after the fact and after our Office has invested significant resources. Too often, privacy is an afterthought,” she says.
“The purpose of our privacy law – to balance privacy and legitimate business needs – is no longer being met. The legislation lacks mechanisms strong enough to ensure organizations invest appropriately in privacy. As a result, consumer trust in the digital economy is at risk.”
The recommendations outlined in the new paper include:
- Stronger enforcement powers: Options include statutory damages to be administered by the Federal Court; providing the Privacy Commissioner with order-making powers and/or the power to impose administrative monetary penalties where circumstances warrant.
- Breach notification: Require organizations to report breaches of personal information to the Privacy Commissioner and to notify affected individuals, where warranted. Penalties should be applied in certain cases. A recent poll found that virtually all Canadians – 97 percent – would want to be notified of a breach involving their personal information.
- Increase transparency: Add public reporting requirements to shed light on the use of an extraordinary exception under PIPEDA which allows law enforcement agencies and government institutions to obtain personal information from companies without consent or a judicial warrant for a wide range of purposes, including national security; the enforcement of any laws of Canada, provinces or foreign countries; or investigations or intelligence-gathering related to the enforcement of these laws.
- Promote accountability: Amend PIPEDA to explicitly introduce “enforceable agreements” to help ensure that organizations meet their commitments to improve their privacy practices following an investigation or audit.
“We live in a global world. Canada needs to ensure its privacy legislation evolves to keep up with laws in other countries with stronger enforcement powers,” says Commissioner Stoddart. “Canada cannot afford to be left behind other jurisdictions, with little in the way of consequences for those that do not respect our privacy law.”
For more detailed information, please see:
- Speech: Looking back – and ahead – after a decade as Privacy Commissioner of Canada
- The Case for Reforming the Personal Information Protection and Electronic Documents Act
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.
- 30 -
For more information, please contact:
Office of the Privacy Commissioner of Canada
NOTE: Journalists are asked to please send requests for interviews or further information via e-mail.