Appearances before Parliamentary Committees

Statutory Review of the Personal Information Protection and Electronic Documents Act

Appearance before the Standing Committee on Access to Information, Privacy and Ethics

November 27, 2006
Ottawa, Ontario

Opening Statement by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)


I am very pleased to be here today to assist you with your review of the Personal Information Protection and Electronic Documents Act, or PIPEDA, as it is commonly called. 

Our privacy is fundamentally important to all of us—as consumers, as citizens, as students, as employees—in every aspect of our day-to-day lives. PIPEDA, along with the Privacy Act that applies to federal departments and agencies, provides the foundation for privacy protection in Canada. 

I would like to take a moment to explain why PIPEDA is more important than ever. When we first started talking about this law in 1998, the Information Highway was a catchphrase; now it is a reality. Transborder flows of personal information were a trickle.  Now they are a flood. New and emerging technologies such as location tracking devices and radio frequency identification threaten privacy in ways that were unimaginable a decade ago. 

We want to help you in this critically important task of ensuring that PIPEDA remains capable of dealing with the many privacy challenges we face in the 21st century.

In preparation for the review we issued a consultation paper setting out twelve issues that we identified as worthy of attention. We received over 60 submissions from a variety of organizations and individuals. A summary of the submissions along with a discussion of the issues we identified are included in the submission we have tabled with the Committee.  I think it is fair to say that there is general agreement about the issues the Committee might want to consider, but unfortunately there is not consensus about the best way to address all of these issues. 

I have a very clear and positive message I want to leave with you today. We believe that PIPEDA is generally working well. PIPEDA strikes a careful balance between two goals: the right of individuals to keep their personal information private and the need of organizations to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate.      

I have chosen the following issues to bring to your attention today because they have the potential to affect the privacy interests of a large number of Canadians.

First of all, it is important that privacy law be administered in a stable context.  PIPEDA is based on an ombudsman model.  As Privacy Commissioner I have the power to investigate complaints, conduct audits, make findings, issue non-binding recommendations and initiate court actions.  We will not be asking for enhanced enforcement powers.  We are not convinced that the time is right to make such a fundamental change to the enforcement mechanisms for several reasons, both practical and administrative.

Secondly, some of the most difficult complaints we have received have involved employee information.  PIPEDA is based on consent which is a challenging concept in a workplace environment where there is unequal bargaining power. One of the issues that you may wish to consider is whether there are more appropriate ways to deal with employee information without sacrificing the privacy rights of workers. Our submission offers some suggestions about dealing with employee information. 

With respect to the issue of work product, PIPEDA does not use the term.  We have addressed this issue by adopting a case-by-case approach to assessing whether or not the information in question is about the individual.  If the answer is yes, then the information is protected by the Act.  We recognize that an individual in his or her capacity as an employee or as a professional may generate information that is not about the individual.  We would caution you that removing all such information from the Act could result in intrusive workplace monitoring and other abuses.

Since the Act was passed, concerns about protecting transborder flows of personal information have taken on a new urgency.  As a result of globalization, the emergence of new “follow the sun” business models and the explosion of offshore processing, the amount of personal information flowing across borders has increased dramatically.  At the same time, governments are increasingly interested in obtaining access to this information for national security purposes. PIPEDA does not contain any specific provisions with respect to transborder information flows.  We believe that by providing guidance, requiring organizations to be open about their processing practices and holding them responsible for personal information when it crosses borders we can address the challenges of transborder information flows.

We also need to ensure that we can deal with complaints that involve other jurisdictions. We live in a world of increasingly virtual borders in which privacy issues do not always respect national boundaries. I would ask you to consider a specific provision to make it clearer we have the authority to share information with our international counterparts while cooperating on investigations of mutual interest.

PIPEDA requires organizations to protect personal information from unauthorized access or disclosures. The Act does not require organizations to take any specific actions in the event of an unauthorized disclosure.  More than half of the U.S. states have passed laws requiring organizations to notify their customers or clients when their personal information has been compromised.  Policy makers in the European Union are looking at similar requirements.  Breach notification laws may force organizations to take security more seriously. They may provide individuals with an early warning system to make them better prepared to deal with the risk of identity theft and other harms that might result from a privacy breach.  We look forward to discussing with the Committee whether it is possible to fit a notification requirement into the PIPEDA framework.

Before concluding I want to raise one very specific and pressing matter relating to a recent Federal Court of Appeal decision.  The case deals with solicitor-client privilege and our ability to obtain access to documents.  This recent decision in the Blood Tribe case leaves a gaping hole in our ability to conduct meaningful investigations.  It effectively allows organizations to shield information from our investigators with no independent verification that the documents in question do in fact contain information subject to solicitor-client privilege. Although we are seeking leave to appeal, we believe this ambiguity in the legislation needs to be clarified with an amendment to PIPEDA as soon as possible.

To repeat, we believe that PIPEDA is working reasonably well. Overall, we think there is a high level of compliance among reputable companies and that the business community is committed to the protection of our personal information.

Can the Act be improved? Yes.  Based on our experience applying the law since 2001 and with the benefit of the “second generation” private sector laws that have been passed in some provinces, we have identified in our submission gaps in the Act and provisions that would benefit from greater clarity. We think there are ways in which the Act can be made more practical and more predictable.

After you have had the benefit of hearing from other witnesses, we would be pleased to return and discuss these suggestions in greater detail.