IT World Canada

Give privacy commissioner enforcement power, says parliamentary committee

The federal Privacy Commissioner would have the power to make orders and impose fines for companies not complying with the  Personal Infomation Privacy and Electronic Documents Act  (PIPEDA), if  the government approves suggested changes to the law recommended by a Parliamentary committee.

The change is one of a number unanimously proposed Friday by the Standing Committee on Access to Information, Privacy and Ethics. Some of the proposed changes could mean big changes in corporate privacy and marketing policies.

The recommendation doesn’t say what order powers or how high the fines the Privacy Commissioner should be given.

In his annual report to Parliament Commissioner Daniel Therrien has asked for more enforcement power. Meanwhile he will launch investigations into questionable privacy practices or chronic problems on his own when necessary rather than wait for complaints.

Some of the recommendations, if approved, could also bring PIPEDA closer to complying with Europe’s new privacy law, the General Data Protection Regulation (GDPR), which comes into effect May 25.

For some months privacy experts have worried that Canada’s private sector privacy law doesn’t meet the requirements of  GDPR and warn Canada may lose its valued adequacy status automatically on that date. That leaves open the probability that privacy policies of Canadian organizations holding personal data on European customers will be rejected. On the other hand the government says adequacy can only change if the European Commission makes a finding.

But the parliamentary committee has recommended the Personal Infomation Privacy and Electronic Documents Act  (PIPEDA) be updated in a number of ways that could meet GDPR requirements. In addition, the committee recommends the government work with the EU to determine what would constitute adequacy status for PIPEDA in the context of the new General Data Protection Regulation(GDPR).

The suggested changes include giving the federal Privacy Commissioner  enforcement powers, such as the power to make orders and impose fines for non-compliance, as well as broad audit powers, including the ability to choose which complaints to investigate.

“This Committee has listened to a variety of witnesses from a large cross-section of Canadians with regards to protecting their privacy,” committee chair Bob Zimmer (L-Prince George-Peace River- Northern Rockies) said in a statement. “We are deeply concerned with the rights and protections of all Canadians and I believe that the report tabled today highlights the concerns that we have for the future and the necessary updates to the Personal Information Protection and Electronic Documents Act.”

John Lawford, executive director of the Public Interest Advocacy Centre (PIAC), said many of the recommendations are good, especially one suggesting the government consider changing PIPEDA so companies can’t capture personal information of minors. He also agrees the Privacy Commissioner should get more powers. “Overall the tenor of the report was good. We’ll see what gets taken up.”

The committee made other recommendations to Parliament that if passed will affect corporate privacy and marketing strategies. They include:

Under the EU’s current privacy regime, PIPEDA — which companies here have to follow unless provincial legislation applies — has adequacy status.  Privacy experts have worried that after May 25, when the GDPR comes into effect, PIPEDA would automatically not be seen as adequate with GDPR.

However, last year a spokesperson for the department of  Innovation, Science and Economic Development told ITWorldCanda.com that PIPEDA’s adequacy status won’t change automatically.

“The EU is not required to render opinions on adequacy rulings prior to its new privacy regime taking effect in May 2018,” the official said. The Privacy Commissioner’s office said it understands a review of the GDPR by the European Commission is required by May 2020. “We also understand that Canada’s adequacy will remain in force under the directive until the EC decides otherwise.”