Privacy commissioner says organizations are displacing privacy rights, wants power to levy fines and to require organizations to report loss of personal information

Time to beef up federal privacy law, says Stoddart

Canada’s federal privacy law is only 12 years old but it needs to be overhauled, says the country’s privacy commissioner.

“As organizations find new ways to profit from personal information, the risks to privacy are growing exponentially,” Jennifer Stoddart said Thursday in Toronto at a conference of the International Association of Privacy Professionals.

“It is increasingly clear that the law is not up to the task of meeting the challenges of today – and certainly not those of tomorrow.”

When the Personal Information Protection and Electronics Documents Act (PIPEDA) was enacted, there was no Facebook, Twitter or Google Street View, she noted.  “Phones weren’t smart. ‘The cloud’ was something that threatened picnic plans.

“The world has changed, and while my office has had some successes in prompting companies to improve their privacy practices, improvement often comes after the fact and after our office has invested significant resources. Too often, privacy is an afterthought,” she says.

“The purpose of our privacy law – to balance privacy and legitimate business needs – is no longer being met. The legislation lacks mechanisms strong enough to ensure organizations invest appropriately in privacy. As a result, consumer trust in the digital economy is at risk.”

Stoddard released a report detailing arguments for what needs to be changed and why. (To read the report click here). They include:

  •  Stronger enforcement powers:  Options include statutory damages to be administered by the Federal Court, and providing the Privacy Commissioner with order-making powers and/or the power to impose financial penalties where necessary;
  •  Breach notification: Require organizations to report breaches of personal information to the Privacy Commissioner and to notify affected individuals, where warranted.  Penalties should be applied in certain cases. A recent poll found that 97 per cent of Canadians want to be notified of a breach involving their personal information.
  • Increase transparency: Add public reporting requirements to shed light on the use of an extraordinary exception under PIPEDA which allows law enforcement agencies and government institutions to obtain personal information from companies without consent or a judicial warrant for a wide range of purposes, including national security; the enforcement of any laws of Canada, provinces or foreign countries; or investigations or intelligence-gathering related to the enforcement of these laws;
  • Promote accountability:  Amend PIPEDA to explicitly introduce “enforceable agreements” to help ensure that organizations meet their commitments to improve their privacy practices following an investigation or audit.

      Too often, the privacy rights of individuals are displaced by organizations’ business needs, the report concludes. At this stage in PIPEDA’s evolution, incentives are needed to encourage organizations to build robust privacy compliance in the early stages of product or service development and sanctions should be levied in the event something goes wrong.

    • Share on LinkedIn Share with Google+ Comment on this article
      More Articles