This was posted on the CBA site a while ago, but I'm working through a backlog of links after a really busy few months ...

Among those testifying at the PIPEDA review was Brian Bowman, Chair of the Privacy and Access Law Section of the CBA, who presented recommendations on behalf of the CBA. Michael Geist's site has a summary of the testimony presented on behalf of the CBA, but the release below links to the written submission:

CBA Says Deficiencies in PIPEDA Must Be Addressed in Five-Year Review

OTTAWA – The Canadian Bar Association says there are deficiencies in the Personal Information Protection and Electronic Documents Act (PIPEDA) that must be amended so the law addresses both individual privacy rights and organizations’ needs to collect and use information appropriately.

“It is essential that we be vigilant in respecting the balance of interests in the collection and use of personal information. We must oppose unnecessary erosions of privacy by both government and non-governmental organizations,” says Brian Bowman of Winnipeg, Chair of the CBA’s National Privacy and Access Law Section.

The CBA submission criticizes four key areas of the law:

• PIPEDA and litigation. Exceptions in PIPEDA relating to litigation are too narrow and impede well-established procedures. The CBA recommends the law should be neutral in regard to the litigation process.
• Enforcement. The CBA says enforcement should be more effective, but continue to reflect principles of fundamental justice. The CBA recommends an effective enforcement mechanism, such as an impartial tribunal, that would operate informally and have the power to make orders and award damages.
• Notification of breaches. The CBA says notification of breaches of privacy should be balanced in approach. The CBA recommends that individuals be notified of a breach only when mechanisms like encryption have failed, or when the information is personal and sensitive.
• Trans-border information flow. The CBA says information transferred across borders must be protected according to Canadian law. The CBA recommends that where personal information is being stored or processed outside Canada, additional protections – such as contracts – be required to add to the security of that information.

“We believe our suggestions will provide assistance in amending PIPEDA to address deficiencies and concerns that have become apparent since the law was enacted,” says Brian Bowman. “This five-year review of the legislation provides an excellent opportunity to re-assess that balance.”

Brian Bowman will present the CBA submission to the Access to Information, Privacy and Ethics Committee on Monday, Dec. 11, 2006 at 3:30 p.m. in Room 371, West Block. The submission is available on the CBA website at:http://www.cba.org/CBA/submissions/pdf/06-58-eng.pdf

The Canadian Bar Association is dedicated to improvement in the law and the administration of justice. Some 37,000 lawyers, law teachers, and law students from across Canada are members.

- 30 -

CONTACT: Hannah Bernstein, Canadian Bar Association, Tel: (613) 237-2925, ext. 146; E-mail: hannahb@cba.org.

(Full disclosure: I was on the committee that developed the recommendations.)

Labels: breach notification, cba, pipeda review, privacy

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: cba, pipeda review, privacy

Lately, Canadian blogging lawyers have been getting a lot of press in the more conventional media. Alan Gahtan's recent article in The Law Times (reproduced on his great blog) is a case in point, as is this recent article in the CBA's PracticeLink: New Media Marketing, Part I - Blogs--How Lawyers Can Become Thought Leaders in a Niche Market.

The CBA article in particular contains a bunch of pointers for any lawyers who are thinking about hopping on the bandwagon. It truly is amazing how easy it is to get started. Don't be intimidated because the technology lawyers were the first onboard. It is not because of any technical expertise prerequisite.

And blogging means you'll likely get to know some of the greatest lawyers around, like David Canton, Rob Hyndman, Alan Gahtan, Michael Geist, Johannes Schenk, and Michael Fitzgibbon.

Labels: cba, information breaches

The most recent edition of the Canadian Bar Association's The National Magazine is running an article on Canadian legal bloggers. The article features interviews with the authors of this blog, and the fantastic blogs of Rob Hyndman, Michael Fitzgibbon ("Thoughts from a Management Lawyer") and Sander Gelsing ("Now Why Didn't I Think of That?").

Blogging the spotlight

"They’re transforming the delivery of news and putting mass media outlets on the run. They’re changing the rules of publishing to favour the sole practitioner over the big corporation. They’re blogs, and they have the potential to reshape how lawyers communicate with clients and with each other.

Labels: cba, information breaches, media-mention, vanity

As promised a short while ago, I've posted the presentations from the CBA Annual CLE session on cross-border privacy issues. Many thanks to Simon Chester for compiling our three powerpoints into one coherent (and hefty) acrobat file.

Cross-Border Issues for Privacy Law Compliance in Canada, the US & the EU

Presented by the National Privacy Law Section and the National Business Law Section This panel will focus on issues facing multi-national organizations that seek to align their privacy law compliance procedures across jurisdictions. The panel will examine the approaches taken by multi-nationals in complying with the new Canadian laws, as well as requirements for Canadian companies doing business in the US and the EU.

Moderator: David M.W.Young, Partner, Lang Michener LLP (Toronto)

Speakers: Simon Chester, Partner, McMillan Binch LLP (Toronto)
Evelyn L. Sullen, Staff Counsel, Volkswagen of America Inc. (Auburn Hills, MI)
David T.S. Fraser, Associate, McInnes Cooper (Halifax)

Labels: cba, information breaches, presentations, privacy

I just returned from a very good few days at the Canadian Bar Association’s annual get-together in Winnipeg, Manitoba. There were quite a few privacy-related events during the two-day substantive program.

The first event was more administrative than anything. It was the meeting of the CBA Privacy Law subsection. The meeting was chaired by Brian Bowman, the section secretary who is also a privacy lawyer at Pitblado in Winnipeg. We reviewed the privacy-related resolutions passed by the CBA general meeting and the extensive activity undertaken by the section during its first year. (I’m told that it has an unprecedented level of activity for a brand-new section.) The next year should be just as busy.

David Young, who chairs the Advocacy and Government Relations subsection led a discussion of the contribution that can be made when the Personal Information Protection and Electronic Documents Act (Canada) comes up for full review in 2006. I expect there will be no shortage of suggestions. Ann Goldsmith, legal counsel to the Office of the Privacy Commissioner mentioned they have many suggestions already, with deemed consent for due diligence review in the course of sales of businesses near the top of their list.

Cross-border privacy issues

The second event was also on Monday: a panel discussion of cross-border privacy issues. Moderated by David Young of Lang Michener, the panel was composed of Simon Chester of McMillan Binch, Evelyn Sullen of Volkswagen of America Inc. and me. The presentation that I gave is available here and I’ll try to get permission to post Simon and Evelyn’s powerpoints.

Simon Chester began with a presentation on European privacy law, using three European women as illustrations of the law’s development and enforcement: (a) Bodil Lindqvist, (b) Naomi Campbell (see Campbell v. MGN Limited, [2004] UKHL 22) and (c) Princess Caroline of Monaco. The first example demonstrates how some authorities in Europe are being much more aggressive in enforcing the Data Protection Directive, including against clearly non-commercial and “domestic” use of personal information. The latter two examples show how the balance between privacy and freedom of the press are moving clearly towards privacy in Europe. (We will not likely see any of the Campbell/Caroline examples in Canada soon, as PIPEDA specifically does not apply to information collected for “artistic, literary or journalistic purposes. Any similar complaints against paparazzi will have to be grounded in the independent tort of “invasion of privacy”, which is being slowly developed in the Canadian provinces that do not have a statutory tort.) Interested readers should take a look at Simon's comprehensive paper, which is available here.

Evelyn’s presentation included an overview of the sectoral laws in the United States (COPPA, HIPAA, GLB, etc.) and a look at Volkswagen USA’s experience in addressing PIPEDA and the European privacy rules. It was estimated that VW spent about $500K in complying with PIPEDA, including postage for sending a “grandfathering/opt-out” letter to all customers in their database.

One of the questions posed was whether to adopt a fragmented privacy management system within an international company or should one try to develop a policy that complies with all legal regimes in which the company operates. Much of what was discussed in the international context is also applicable within the Canadian federal system. We are dealing with a number of privacy regimes in this country, including the present 100% overlap between federal and provincial laws in Alberta and British Columbia. (I am told that the Order-in-Council to declare AB and BC’s laws “substantially similar” to PIPEDA is on the agenda for the next meeting of the federal cabinet.) We also have an interesting overlap in the health privacy arena. Alberta, Saskatchewan and Manitoba each have provincial health information laws and none of them are expected to be declared substantially similar. This means that physicians in private practice, who are engaged in “commercial activities”, must comply with PIPEDA and with the local health information law. In most cases, the healthcare professionals can design their programs to comply with the most demanding individual rules and principles. In some cases, this is not always possible as some contradictions may appear between the laws.

Update on Canada’s Privacy Laws

On Tuesday, Brian Bowman moderated a panel of representatives from various privacy commissioners’ offices. On the panel was Heather Black, Assistant Privacy Commissioner of Canada; Brian Loukidelis, Information and Privacy Commissioner from British Columbia, Barry Tuckett, Manitoba’s Ombudsman and Mary O'Donoghue, legal counsel to the Information and Privacy Commissioner of Ontario. Each of the panelists gave an update on developments in their respective jurisdictions, beginning with Heather Black’s overview of the roll-out of PIPEDA. Heather made an interesting distinction between systemic and more accidental violations of PIPEDA. Systemic violations are those which demonstrate a systemic problem, such as a lack of awareness, policies or procedures. Accidental ones are simply where a company’s established – and otherwise compliant – procedures and policies are not followed, resulting in a breach. Both are problems, but the balance of complaints is leaning further away from systemic breaches. Heather also mentioned that the number of complaints that are “well founded” has declined (to the end of 2003) to around 20% from 45% a couple of years before.

Mary O'Donoghue, from the Ontario Information and Privacy Commissioner’s Office, provided a very good and brief overview of the Personal Health Information Protection Act, 2004.

At the moment, I’m a little jetlagged. I’ll try to write more about the conference when I’ve got a few more minutes and once I’ve heard back from my co-panellists about posting their materials.

Labels: alberta, bc, british columbia, cba, health information, information breaches, presentations, privacy

The Canadian Bar Association, meeting in Winnipeg, unanimously passed two privacy-related resolutions over the weekend. I'll post the full text of the resolutions when I have a chance, but there is some coverage in Saturday's National Post:

Canadian Bar Association to debate balance between privacy, security

Michelle Macafee
Canadian Press

WINNIPEG (CP) - Members of the Canadian Bar Association want the federal government to strengthen privacy laws and ensure that any collection of personal information for security reasons is 'subject to reasonable and attainable objectives.'

Delegates attending this year's annual meeting, which begins Saturday in Winnipeg, will debate two resolutions prepared by the association's privacy law and criminal justice sections. "

I expect a release will be soon posted here: http://www.cba.org/CBA/News/2004_Releases/default.asp

Labels: cba, information breaches