The battle over Canadian privacy continues in the wake yet another review of the Personal Information Protection and Electronic Documents Act (PIPEDA). This time, however, a significant sally forward has been made, with Industry Canada opening up their recommendations to public opinion.
There have been several commissions looking into PIPEDA over the last year or so, with the Privacy Commissioner running her own review (complete with public consultation), and a parliamentry committee (the Standing Committee on Access to Information Privacy and Ethics) running theirs, with the results released in May. Industry Canada’s review—“Government Response to the Fourth Report of the Standing Committee on Access to Information Privacy and Ethics: Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)”—was in response to this committee’s findings.
That committee’s findings were “incredibly vague,” according to Philippa Lawson, director of the Ottawa-based Canadian Internet Policy and Public Interest Clinic, who testified on behalf of the organization before the committee.
“It was very rare that there were any specific recommendations. It was like, ‘We need to take a look at this,’ and then leaving it to the government to figure out.”
Industry Canada mounted closed consultations with key stakeholders in the privacy community while preparing its response. The results were much more concrete, according to Lawson, and proposed more concrete recommendations that the public can now comment on, and which could successfully be turned into an amendment one day. She said, “This signals that the government plans to act.”
While the consultation is open to the public (it was published in the government’s publication, The Canada Gazette), Lawson thinks that key stakeholders will be the primary responders, due to the complex legal issues at stake. Said Lawson: “The answers here are not at all obvious.”
The primary three issues highlighted in the public call for input were data breach notification, and “work product” and “lawful authority” definitions. (Other issues mentioned included “witness statements, consent by minors, and an assessment of the extent to which elements contained in the PIPEDA Awareness Raising Tools (PARTS) document may be set out in legislative form.”) Industry Canada’s response to data breach notification is that “PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.” British Columbia Freedom of Information and Privacy Association president Richard Rosenberg said that this wasn’t a particularly significant step forward. Said Rosenberg: “That’s going less than half-way. Anything less than reporting it to the Privacy Commissioner wouldn’t be reporting it at all.”
Work product was also highlighted as an issue. It concerns “the question of whether information created by individuals in their employment or professional capacity should be explicitly excluded from the definition of personal information.” An example of this is the practice of businesses like IMS Health, which collects, analyses, and sells information about doctors’ prescribing habits.
The definition of “lawful authority” relates to the difficulty that some law enforcement faces when trying to collect information without a warrant. “It’s been interpreted as very restrictive, and it makes it difficult for the police to get the information,” Lawson said. This has resulted in businesses (such as an ISPs) always requesting a warrant, even where one might not be strictly required. But, said Lawson, as it is a rather “privacy-friendly” practice, deciding where to come down will be difficult.
Rosenberg sees the matter as more of a black-and-white case, saying that the contentious issue (which, he said, has been a matter of debate for some time) is a clear privacy breach. “I’m surprised that this came in…Why shouldn’t ISPs ensure that they have a warrant? So they have all this personal information on you—you have to take your chances on the Internet.”
A change that didn’t make it in was giving the Privacy Commissioner order-making powers, said Rosenberg, something that was called for by many privacy advocates during the Standing Committee on Access to Information Privacy and Ethics hearings and was rejected. Industry Canada also rejected the idea, stating in its response, “The government agrees that the Privacy Commissioner should not be granted order-making powers at this time.
This position is supported by the general view expressed throughout oral and written submissions to the Committee that PIPEDA is working quite well. In addition, the relatively short time for which the Act has been in existence warrants a cautionary approach to making significant amendments to the enforcement powers of the Privacy Commissioner. Rather, the Commissioner should be given additional time to make full use of the enforcement powers that are currently at her disposal.”
As for Industry Canada’s recommendations, Lawson said that a timeline for an implementation of the changes is impossible to parse. Lawson said, “You never know. It depends on the government’s priorities. Maybe an MP would be personally affected and that could hurry it along. Parts of it could get by very fast, (by next year). Or it could take years.”