It's official, the Prime Minister is proroguing parliament until the beginning of March: CBC News - Politics - PM seeks Parliament shutdown until March. (Never mind that they've been on vacation since November.)

This means that a number of privacy-affecting bills are being forced into a coma. The list includes:

• Bill C-27 - Electronic Commerce Protection Act (Second Reading in the Senate and Referred to Committee on December 15, 2009) (aka Anti-spam Act);
• Bill C-46 - Investigative Powers for the 21st Century Act (Referred to Committee on October 27, 2009);
• Bill C-47 - Technical Assistance for Law Enforcement in the 21st Century Act (Referred to Committee on October 29, 2009);

The media is also reporting that, in the meantime, Harper plans to fill five vacant senate seats, which will give the Conservatives the majority they need to ensure safe passage of their legislation.

Labels: lawful access, pipeda review, privacy, spam

Five years ago, on January 2, 2004, a new age of privacy was creeping across Canada and this blog was born. The day before, at the stroke of midnight, the Personal Information Protection and Electronic Documents Act (Canada) had come fully into force. The Alberta and British Columbia Personal Information Protection Acts also became effective on the first day of 2004.

Since then, we have seen dramatic changes in privacy throughout the world: Identity theft is on the rise; there have been literally thousands of data breaches exposing the personal information of millions of people; governments are looking for easier access to personal information; video surveillance is more widespread; more personal information is generated digitally and aggregated in private hands.

And in the past year specifically, things have remained interesting on the privacy front. We've seen debate over changes to PIPEDA without anything definitive coming from the mandatory five year review. We've also seen arguments put forward to reform the public sector Privacy Act. Focus has also been drawn to the increasing practice of examining laptops at US border crossings. Litigation between Viacom and Google has raised awareness of log information that's often retained by internet companies. And Google has also been sued by a couple claiming their privacy has been violated by presenting pictures of their house in Google Street View. But in the last year, the one big privacy story that was supposed to have the largest impact on Canadians was the implementation of the National Do Not Call List. Whether it has, in fact, had an impact is the subject of debate.

I'd like to thank the many thousands of readers of the blog for visiting this site and thanks to those who have contacted me with comments, compliments, suggestions and links to interesting news. It's been a pleasure to write and I plan to keep it going as long as there's interesting privacy news to report.

Birthday cake graphic used under a creative commons license from K. Pierce.

Labels: border, dncl, google, google street view, identity theft, incident, laptop, lawful access, pipeda review, privacy, privacy act, telemarketing, video surveillance

One thing that was relatively consistent in the submissions at PIPEDA's five year review was to follow in the footsteps of more than half the US states to require notification of security and privacy breaches. Canwest is reporting on leaked draft legislation which will surely disappoint many in the privacy community. In effect, there is no mandatory reporting. Businesses get to determine whether there is a "high risk of significant harm" and only then do they need to report the breach to consumers. Not reporting has no consequences. See: Feds to leave disclosure of data security breaches to businesses: legislative plan.

Labels: breach notification, pipeda review, privacy

In case you haven't been consulted enough ...

The Government of Canada issued its response to the PIPEDA review report from the Standing Commitee on Access to Information, Privacy and Ethics, agreeing in parts and disagreeing in others with the committee's recommendations. So the government is now seeking public input on the topics that were relatively well canvassed before the parliaentary commitee.

If you have additional thoughts, you have until January 15 to make them known to Industry Canada.

Canada Gazette

DEPARTMENT OF INDUSTRY

IMPLEMENTATION OF THE GOVERNMENT RESPONSE TO THE FOURTH REPORT OF THE STANDING COMMITTEE ON ACCESS TO INFORMATION, PRIVACY AND ETHICS ON THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Deadline for submission of views: January 15, 2008

On October 17, 2007, the Government of Canada tabled in Parliament its response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). In support of the Minister of Industry's responsibility for PIPEDA, Industry Canada is seeking the views of Canadians on a number of issues related to the response, including proposals for legislative amendments to PIPEDA.

PIPEDA, which came into force on January 1, 2001, sets rules for the collection, use and disclosure of personal information in the course of commercial activity in Canada. In a modern, information-based economy, an effective and efficient model for the protection of personal information is vitally important to ensure that the privacy of Canadian consumers remains protected. The ETHI Report contains 25 recommendations for how PIPEDA could be fine-tuned to ensure that the Act continues to achieve this objective. The government response expresses agreement with a majority of the Committee's recommendations and reflects the view held by a number of stakeholders that PIPEDA is working well and is not in need of dramatic change at this time. However, a small number of specific amendments may be warranted, and this consultation process provides Canadians with the opportunity to present further information, advice and views regarding the implementation of key proposals for legislative change.

In particular, Industry Canada is seeking views on the implementation of a data breach notification provision in PIPEDA (ETHI recommendations 23, 24 and 25). Such a provision is an important component of a comprehensive strategy to address the growing problem of identity theft. The Government proposes that the Privacy Commissioner be notified of any major breach of personal information, and that affected individuals and organizations be notified when there is a high risk of significant harm resulting from the breach. Ultimately, a requirement for data breach notification should encourage organizations to implement more effective security measures for the protection of personal information, while enabling consumers to better protect themselves from identity theft when a breach does occur. Industry Canada is seeking input in developing the parameters of a data breach notification provision, including, but not limited to, questions of timing, manner of notification, penalties for failure to notify, the need for a "without consent" power to notify credit bureaus, and appropriate "thresholds" for when organizations should be required to notify.

Industry Canada is also seeking further views on the issue of "work product" information (ETHI recommendation 2). The question of whether information created by individuals in their employment or professional capacity should be explicitly excluded from the definition of personal information has been a matter of significant debate. Industry Canada would therefore appreciate a wider range of views on whether an amendment to PIPEDA is needed, and, if so, how this should be implemented.

Furthermore, in order to ensure that PIPEDA is consistent with the needs of Canadian law enforcement agencies, the Government intends to clarify the meaning of lawful authority in PIPEDA as recommended by the Committee (ETHI recommendation 12). Industry Canada is seeking views and specific advice on how the concept of lawful authority could be better defined.

The Committee also recommended a number of issues for further consideration and/or consultation, including witness statements (ETHI recommendation 10), consent by minors (ETHI recommendation 15), and an assessment of the extent to which elements contained in the PIPEDA Awareness Raising Tools (PARTS) document may be set out in legislative form (ETHI recommendation 17). Industry Canada welcomes submissions on these matters.

Finally, Industry Canada is considering alternatives to the current process for the designation of investigative bodies (ETHI recommendation 6) and would appreciate any further views on this issue.

Submissions on the above, or on any other issues related to the government response that you may wish to raise, can be sent by email to PIPEDAconsultation@ic.gc.ca, by fax to 613-941-1164, or by mail to Richard Simpson, Director General, Industry Canada, Electronic Commerce Branch, 300 Slater Street, Ottawa, Ontario K1A 0C8.

The Government's response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics is available electronically on the World Wide Web at the following address: http://ic.gc.ca/specialreports.

For printed copies, please contact Publishing and Depository Services, Public Works and Government Services Canada, Ottawa, Ontario K1A 0S5; 1-800-635-7943 (Canada and U.S. toll-free telephone), 613-941-5995 (telephone), 1-800-465-7735 (TTY), 1-800-565-7757 (Canada and U.S. toll-free fax), 613-954-5779 (fax), publications@pwgsc.gc.ca (email), www. publications.gc.ca.

Labels: breach notification, identity theft, lawful access, lawful authority, pipeda review, privacy

The government has issued its response to the five year PIPEDA review report, issued earlier this year by the Parliamentary Committee on Access to Information, Privacy and Ethics. No big surprises.

The government proposes even more "consultations".

See: Industry Canada Site - Government Response to the Fourth Report of the Standing Committee on Access to Information Privacy and Ethics.

Labels: pipeda review, privacy

Micahel Geist's take on the results of the PIPEDA review: There Will Be No Privacy Reform. Get Over It.

See also his Toronto Star column on the topic.

I think he's probably right.

Labels: pipeda review, privacy

The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:

ETHI (39-1) — Fourth Report: STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) — Standing Committee on ACCESS TO INFORMATION, PRIVACY AND ETHICS - Committees of the House of Commons

The Standing Committee onACCESS TO INFORMATION, PRIVACY AND ETHICS

has the honour to present its

Fourth Report

Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:

The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.

Here are the recommendations:

47

Recommendation 1

The Committee recommends that a definition of “business contact information” be added to PIPEDA, and that the definition and relevant restrictive provision found in the Alberta Personal Information Protection Act be considered for this purpose.

Recommendation 2

The Committee recommends that PIPEDA be amended to include a definition of “work product” that is explicitly recognized as not constituting personal information for the purposes of the Act. In formulating this definition, reference should be added to the definition of “work product information” in the British Columbia Personal Information Protection Act, the definition proposed to this Committee by IMS Canada, and the approach taken to professional information in Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector.

Recommendation 3

The Committee recommends that a definition of “destruction” that would provide guidance to organizations on how to properly destroy both paper records and electronic media be added to PIPEDA.

Recommendation 4

The Committee recommends that PIPEDA be amended to clarify the form and adequacy of consent required by it, distinguishing between express, implied and deemed/opt-out consent. Reference should be made in this regard to the Alberta and British Columbia Personal Information Protection Acts.

Recommendation 5

The Committee recommends that the Quebec, Alberta and British Columbia private sector data protection legislation be considered for the purposes of developing and incorporating into PIPEDA an amendment to address the unique context experienced by federally regulated employers and employees.

Recommendation 6

The Committee recommends that PIPEDA be amended to replace the “investigative bodies” designation process with a definition of “investigation” similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose .

Recommendation 7

The Committee recommends that PIPEDA be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction. This amendment should be modeled on the Alberta Personal Information Protection Act in conjunction with enhancements recommended by the Privacy Commissioner of Canada.

Recommendation 8

The Committee recommends that an amendment to PIPEDA be considered to address the issue of principal-agent relationships. Reference to section 12(2) of the British Columbia Personal Information Protection Act should be made with respect to such an amendment.

Recommendation 9

The Committee recommends that PIPEDA be amended to create an exception to the consent requirement for information legally available to a party to a legal proceeding, in a manner similar to the provisions of the Alberta and British Columbia Personal Information Protection Acts.

Recommendation 10

The Committee recommends that the government consult with the Privacy Commissioner of Canada with respect to determining whether there is a need for further amendments to PIPEDA to address the issue of witness statements and the rights of persons whose personal information is contained therein.

Recommendation 11

The Committee recommends that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts.

Recommendation 12

The Committee recommends that consideration be given to clarifying what is meant by “lawful authority” in section 7(3)(c.1) of PIPEDA and that the opening paragraph of section 7(3) be amended to read as follows: “For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is […]”

Recommendation 13

The Committee recommends that the term “government institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA to specify whether it is intended to encompass municipal, provincial, territorial, federal and non-Canadian entities.

Recommendation 14

The Committee recommends the removal of section 7(1)(e) from PIPEDA.

Recommendation 15

The Committee recommends that the government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amendments to PIPEDA in this regard.

Recommendation 16

The Committee recommends that no amendments be made to PIPEDA with respect to transborder flows of personal information.

Recommendation 17

The Committee recommends that the government consult with members of the health care sector, as well as the Privacy Commissioner of Canada, to determine the extent to which elements contained in the PIPEDA Awareness Raising Tools document may be set out in legislative form.

Recommendation 18

The Committee recommends that the Federal Privacy Commissioner not be granted order-making powers at this time.

Recommendation 19

The Committee recommends that no amendment be made to section 20(2) of PIPEDA with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest.

Recommendation 20

The Committee recommends that the Federal Privacy Commissioner be granted the authority under PIPEDA to share personal information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities.

Recommendation 21

The Committee recommends that any extra-jurisdictional information sharing, particularly to the United States, be adequately protected from disclosure to a foreign court or other government authority for purposes other than those for which it was shared.

Recommendation 22

The Committee recommends that PIPEDA be amended to permit the Privacy Commissioner to apply to the Federal Court for an expedited review of a claim of solicitor-client privilege in respect of the denial of access to personal information (section 9(3)(a)) where the Commissioner has sought, and been denied, production of the information in the course of an investigation.

Recommendation 23

The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.

Recommendation 24

The Committee recommends that upon being notified of a breach of an organization’s personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner.

Recommendation 25

The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a “without consent” power to notify credit bureaus in order to help protect consumers from identity theft and fraud.

Labels: alberta, bc, breach notification, british columbia, health information, identity theft, lawful authority, pipa, pipeda review, privacy

The PIPEDA Review Hearings have resumed after a recess and Michael Geist continues to link to notes taken at the hearings (see: Michael Geist - PIPEDA Hearings - Days 9 (banking industry) and 10 (Chamber of Commerce, Insurance)). The focus has shifted to discussions of breach notification, a topic that now seems to have strong support on the committee.

Labels: breach notification, pipeda review, privacy

The recent personal information breaches in Canada have prompted a lot of discussion about breach notification.

This may be the upswell of citizen concern that will prompt legislative change in Canada. From today's Halifax Chronicle Herald:

The ChronicleHerald.ca - Should retailers come clean? Businesses not obligated to alert consumers when information is stolen

By CLARE MELLOR Business Reporter

Retailers and financial institutions in Canada don’t have to tell customers when thieves have stolen their personal information.

Recent cases of data theft at Winners and the loss of a hard drive at CIBC have made headlines across the country, alerting Canadian consumers to be on guard for identity theft, but these security breaches could be the tip of the iceberg, privacy experts say.

"There are probably a whole lot more incidents out there that we haven’t heard about because the businesses have no legal reason that requires them to tell the consumers involved," Halifax lawyer David Fraser, a privacy specialist, said Friday.

"One of the big questions on law reform in this area is whether a business should have a duty to notify people whose information has been compromised."

CIBC, which was earlier taken to task by federal privacy commissioner Jennifer Stoddart for lapses in security involving misdirected faxes, issued a news release and sent letters to Talvest mutual-fund holders last week. The company said a backup computer file containing their personal information had gone missing in transit.

TJX Cos., American operator of Winners and HomeSense, recently revealed that computer hackers had broken into its system, but the firm has not said how many customers had personal data stolen.

About 30 states have laws requiring businesses to notify their customers when their personal information has been stolen or lost, Mr. Fraser said.

A parliamentary committee has been reviewing Canada’s federal privacy law. Requirements to notify the public when a breach happens are being discussed.

When Ms. Stoddart appears before the committee, she will likely call for changes to the law requiring businesses to inform consumers when their information has been stolen or gone missing, Anne-Marie Hayden, spokeswoman for the privacy commissioner’s office, said Friday.

Under Canada’s privacy law, businesses and banks must keep personal information secure and not share it without client consent.

While Ms. Stoddart’s office can’t fine or penalize businesses that repeatedly break the law, it can pursue legal action through the Federal Court, Ms. Hayden said.

"It would be safe to say that most of the time when the commissioner makes recommendations (to tighten privacy practices), those changes are implemented," she said .

But David Malamed, a forensic accountant, said it is clear many companies are not taking their privacy obligations seriously enough.

"A lot of the reason that it is happening is that the focus for a lot of companies is on the bottom line," said Mr. Malamed, who works at Grant Thornton in Toronto

"As systems advance, people get smarter and the question is how money is being invested into protecting these systems. . . . There are different methods that you can go about to protect your customer information that will help prevent this from happening or at least reduce it to a greater degree."

There have been media reports of fraudulent purchases made with customer information stolen from Winners.

A Canadian law firm, Merchant Law Group, which has offices in Saskatchewan and Alberta, has already launched a class-action suit over the security breach.

But there is some question about whether Canadian consumers can successfully sue for theft or mishandling of their personal information, Mr. Fraser said.

"If you are the subject of fraud, you may be able to successfully sue them," he said. "But if you can’t prove harm, it is much more difficult."

(cmellor@herald.ca)

Labels: alberta, breach notification, identity theft, pipeda review, privacy, tjx

All the evidence to date in the statutory review of PIPEDA is up on the committee's website. Links are below for your convenience:

Meeting Information	Study/Activity	Minutes	Evidence
Meeting 25 December 13, 2006 15:28 - 17:03	Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
Meeting 24 December 12, 2006 09:31 - 10:20	Certificate of nomination of Robert Marleau to the position of Information Commissioner
Meeting 23 December 11, 2006 15:30 - 17:29	Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) Committee Business
Meeting 22 December 6, 2006 15:33 - 17:29	Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
Meeting 21 December 4, 2006 15:30 - 17:29	Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) Committee Business
Meeting 20 November 29, 2006 15:30 - 17:02	Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
Meeting 19 November 27, 2006 15:31 - 17:19	Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
Meeting 18 November 22, 2006 15:48 - 17:28	Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
Meeting 17 November 20, 2006 15:33 - 17:34	Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) Committee Business

Labels: pipeda review, privacy

Kevin Bousquet, a private investigator with The Corpa Group, has an interesting and long post on PIs, privacy law and pretexting on his blog. It's his view that privacy laws have backfired and that Bill C-299 (the anti-pretexting private member's bill) will have a disastrous effect on the ability of private investigators to deal with fraud, among other things. It's obvious that he put a lot of thought into it and, though I don't agree with many of his conclusions, it is an interesting perspective.

Oddly, there wasn't anyone espousing this perspective who appeared at the PIPEDA review hearings.

Labels: law enforcement, pipeda review, pretexting, privacy, surveillance, video surveillance

This was posted on the CBA site a while ago, but I'm working through a backlog of links after a really busy few months ...

Among those testifying at the PIPEDA review was Brian Bowman, Chair of the Privacy and Access Law Section of the CBA, who presented recommendations on behalf of the CBA. Michael Geist's site has a summary of the testimony presented on behalf of the CBA, but the release below links to the written submission:

CBA Says Deficiencies in PIPEDA Must Be Addressed in Five-Year Review

OTTAWA – The Canadian Bar Association says there are deficiencies in the Personal Information Protection and Electronic Documents Act (PIPEDA) that must be amended so the law addresses both individual privacy rights and organizations’ needs to collect and use information appropriately.

“It is essential that we be vigilant in respecting the balance of interests in the collection and use of personal information. We must oppose unnecessary erosions of privacy by both government and non-governmental organizations,” says Brian Bowman of Winnipeg, Chair of the CBA’s National Privacy and Access Law Section.

The CBA submission criticizes four key areas of the law:

• PIPEDA and litigation. Exceptions in PIPEDA relating to litigation are too narrow and impede well-established procedures. The CBA recommends the law should be neutral in regard to the litigation process.
• Enforcement. The CBA says enforcement should be more effective, but continue to reflect principles of fundamental justice. The CBA recommends an effective enforcement mechanism, such as an impartial tribunal, that would operate informally and have the power to make orders and award damages.
• Notification of breaches. The CBA says notification of breaches of privacy should be balanced in approach. The CBA recommends that individuals be notified of a breach only when mechanisms like encryption have failed, or when the information is personal and sensitive.
• Trans-border information flow. The CBA says information transferred across borders must be protected according to Canadian law. The CBA recommends that where personal information is being stored or processed outside Canada, additional protections – such as contracts – be required to add to the security of that information.

“We believe our suggestions will provide assistance in amending PIPEDA to address deficiencies and concerns that have become apparent since the law was enacted,” says Brian Bowman. “This five-year review of the legislation provides an excellent opportunity to re-assess that balance.”

Brian Bowman will present the CBA submission to the Access to Information, Privacy and Ethics Committee on Monday, Dec. 11, 2006 at 3:30 p.m. in Room 371, West Block. The submission is available on the CBA website at:http://www.cba.org/CBA/submissions/pdf/06-58-eng.pdf

The Canadian Bar Association is dedicated to improvement in the law and the administration of justice. Some 37,000 lawyers, law teachers, and law students from across Canada are members.

- 30 -

CONTACT: Hannah Bernstein, Canadian Bar Association, Tel: (613) 237-2925, ext. 146; E-mail: hannahb@cba.org.

(Full disclosure: I was on the committee that developed the recommendations.)

Labels: breach notification, cba, pipeda review, privacy

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: pipeda review, privacy

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: cba, pipeda review, privacy

More from the PIPEDA hearings, thanks to Michael Geist:

Michael Geist - PIPEDA Hearings - Day 06 (CIPPIC, PIAC, MRIA): Friday December 08, 2006 The PIPEDA hearings continued on Wednesday with CIPPIC, PIAC, and the Marketing Research and Intelligence Association providing their views. While I was unable to find a student to blog the event, CIPPIC has posted its meeting notes and speaking notes.

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: pipeda review, privacy

Michael Geist has again posted notes from the PIPEDA review hearings on is blog:

Michael Geist - PIPEDA Hearings - Day 05 (CMA, FETCO):

"Today marked the fifth day of PIPEDA hearings with the Canadian Marketing Association and FETCO (Federally Regulated Employers Transportation and Communication) taking centre stage. The gist of today's discussion from the witnesses - no order making power, cautious approach on security breach disclosure, and cut back on employee privacy rights. The MPs have begun to settle into specific issues with the Conservative members focused on the compliance costs, while the opposition members more receptive to enhanced privacy rights within PIPEDA. Shiran Sabari provides a complete look at the discussion: ..."

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: pipeda review, privacy

Again on the topic of the PIPEDA review, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) has released its written submission to the Parliamentary Committee on Ethics, Access to Information and Privacy. Not surprisingly, they are calling for some major changes:

We therefore propose a number of amendments designed to clarify rights and obligations, to close gaps, and to give the regime the "teeth" it is clearly lacking. Such amendments include:

• giving the Commissioner (or an associated Tribunal) order-making powers;
• reducing barriers to the enforcement of PIPEDA rights via Federal Court;
• permitting class actions under PIPEDA;
• providing for punitive as well as compensatory damages in court;
• mandatory naming of respondents in published Commissioner findings;
• mandatory Commissioner reporting on complaints;
• expanding the list of offences under PIPEDA;
• removing the "reasonable grounds" requirement for audits; and
• giving the Commissioner powers to share information with her counterparts.

While PIPEDA's redress and enforcement regime is most need of reform, some important substantive provisions of the Act suffer from lack of clarity, and others leave strange gaps. We have therefore proposed amendments to clarify and add provisions dealing with:

• the criteria for valid consent;
• data breach notification;
• reasonable limits on collection, use and disclosure;
• children's privacy;
• openness and individual access;
• attempted collection, use and disclosure;
• state surveillance; and
• the definition of "organization".

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: breach notification, pipeda review, privacy, surveillance

Michael Giest has a summary of the fourth day of testimony before the Parliamentary Committee conducting the PIPEDA review hearings:

Michael Geist - PIPEDA Hearings - Day 04 (B.C. Privacy Commissioner Loukidelis and Professor Val Steeves):

"Wednesday's PIPEDA hearing featured B.C. Privacy Commissioner David Loukidelis and University of Ottawa professor Val Steeves. Commissioner Loukidelis went even further than the federal privacy commissioner in downplaying significant change. Loukidelis downplayed his order making power (a last resort), security breach notification (more evidence on impact needed), and even the concerns associated with cross-border transfers to the U.S. (can always pick a different private sector company). Professor Steeves highlighted the privacy challenges posed by new technologies and offered some specific reform recommendations. Natalie Senst was in attendance on Wednesday afternoon and she filed the following report:..."

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: breach notification, british columbia, pipeda review, privacy

Michael Geist has a summary of the third day of the PIPEDA review hearings, at which the Privacy Commissioner appeared. She called for mandatory breach notification and amendments to PIPEDA to get around the recent Blood Tribe that curtailed her ability to review claims of privilege. Check it out: Michael Geist - PIPEDA Hearings - Day 03 (Privacy Commissioner of Canada).

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: breach notification, pipeda review, privacy

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: pipeda review, privacy

Is it live or is it Memorex?

Michael Geist has a source sitting in on the PIPEDA hearings. Read her notes: Michael Geist - PIPEDA Hearings - Day 01 (Industry Canada).

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: pipeda review, privacy

Regular readers won't be shocked to discover that Michael Geist has a few thoughts on the PIPEDA review, which started today. Check it out: Michael Geist - PIPEDA Review Underway Today. And read his Toronto Star column on the same topic: Michael Geist - Hearings Offer Chance to Fix Holes in Privacy Law.

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: pipeda review, privacy

Michael Geist has a snapshot of what's been scheduled so far for the PIPEDA review before the House Standing Committee on Information, Ethics and Privacy:

Michael Geist - PIPEDA Review Schedule Unfolds:

The Standing Committee on Access to Information, Ethics, and Privacy launches the PIPEDA review next week with three hearings now on tap. Representatives from Industry Canada will appear on Monday, Richard Rosenberg and Colin Bennett, two B.C. experts appear on Wednesday, and Privacy Commissioner of Canada Jennifer Stoddart is scheduled to appear on Monday, November 27th. The Committee is still open to written submissions and proposals for oral presentations.

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: pipeda review, privacy

The Federal Court of Appeal yesterday released its decision in Blood Tribe Department of Health v. Canada (Privacy Commissioner). This is the important decision in which the Federal Court had held that the Privacy Commissioner had jurisdiction to review documents that are claimed to be privileged to determine if the privilege was properly claimed in a request for access (FCT case).

The Court of Appeal held (and forgive the bad OCR of a faxed copy of the decision -- a cleaned up version will appear shortly):

(e) How to Deal with a Claim of Solicitor-Client Privilege under PIPEDA

[31] Section 15 of PIPEDA permits the Commissioner to apply to the Federal Court in relation to any matter referred to in section 14 which in turn encompasses solicitor-client privilege pursuant to subsection 9(3) of that Act (supra, at paragraph 4).

[32] The Intervener, the Law Society of Alberta, directed the panel to the Supreme Court of Canada of R v, McClure, 2001 SCC 14 [McClure]. That case outlined useful principles to be applied regarding a review of solicitor-client privilege by civil and criminal courts. McClure faced sexual charges from twelve former students, including one 'J.C.' who had also commenced a civil action. In the criminal action, McClure sought production of JC's civil litigation file in order to determine the nature of his allegations and to test his motivation in fabricating or exaggerating incidents of abuse. Major J. outlhed a three stage procedural test to protect the solicitor-client privilege. In the first two stages, the party seeking privileged material must establish that there i s no other compellable source for the privileged information as well as an evidentiary basis upon which to conclude that the information would be legally useful. In the third stage, the judge must then examine the documents and will not release them unless satisfied that they would likely give rise to an issue of relevance pertinent to the ,ultimate disposition of the case.

[33] In my analysis, the Commissioner's ability to conduct her investigation is not fettered by a rule that protects privileged communication. In circumstances where a broad claim of solicitor client privilege is used as a shield to thwart on investigation, judges of the Federal Court are equal to the task of developing procedures that adequately minimize the potential invasion of the privilege (see also Goodis v. Ontario (Ministry of Correctional Services}, 2006 SCC 3 1 at paragraph 2 1).

V. Conclusion

[34] In summay, the Judge erred in adopting a purposive and liberal interpretation of paragraphs 12(l)(a) and (c) of PIPEDA and in adopting AIA principles in a PIPEDA review. The appeal should be allowed, the order of the Judge dated March 8, 2005 should be set aside and the Commissioner's order for production of rccords dated October 22, 2003 should be vacated. Costs to the appellant in this appeal. No costs were sought by the intervener, the Law Society of Alberta.

Labels: alberta, health information, litigation, ontario, pipeda review, privacy

The Canadian Internet Policy and Public Interest Clinic has released their response to the Privacy Commissioner's request for comments related to the upcoming PIPEDA review. No huge suprises, but an interesting read.

Labels: pipeda review, privacy

The London Free Press, which is also the source of David Canton's great technology law column, is also running an interesting commentary on an issue that didn't make it into the Privacy Commissioner's proposed topics for discussion in connection with the PIPEDA review:

London Free Press - Business - Definition of personal information muddies privacy law:

... Several OPC decisions on when photos and video recordings become personal information have been inconsistent, so some businesses are unsure whether some aspects of their work put them at risk.

This leads to a tangential question: Do we need a separate definition for 'business information'?

Intuitively, one might think a business e-mail address is a logical extension of a business employee's name, title, address and phone number -- information exempt from PIPEDA, according to the definition of personal information. The assistant commissioner, however, in decision No. 297, declared it 'personal information' because it was not included in the list of business information under this definition....

Labels: pipeda review, privacy

The Personal Information Protection and Electronic Documents Act provides for a review of the Act every five years by a committee of the House of Commons. Since it came into force in 2001, many have been waiting for 2006 to resolve a number of outstanding questions. While preliminary consultations have been going on by Industry Canada in anticipation of the review, there hasn't been any indication of when the public review would begin.

The Privacy Commissioner of Canada has kicked off the public discussion with the release of a PIPEDA Review Discussion Document, which covers a number of areas where defects and ambiguities have been identified. The document doesn't offer recommendations, but raises questions to be considered by the committe in the following areas:

• Commissioner’s Powers
• Consent
• Disclosure of Personal Information before Transfer of Businesses
• Work Product
• Duty to Notify
• Transborder Flows of Personal Information
• Sharing Information with Other Data Protection Authorities

The document is relatively brief and does a good job of discussing most of the issues that I expect will be considered by the committee whenever it gets going.

Labels: pipeda review, privacy

It's hard to believe that I've been at this for two years. On January 2, 2004 I did the first posting to this blog (The Canadian Privacy Law Blog: Welcome to the Canadian Privacy Law blog). At the time, I was concerned that I wouldn't have the attention span to keep it going for the long term. Now, two years and 1711 posts later (more than two a day), I'm pleased with how it has all turned out. I've met some pretty incredible people through the blog. This summer I had a surreal experience when a stranger recognized me in an elevator and asked if I was "the guy with the privacy website."

At the time, some people thought that privacy was just the flavour of the day and all the hubub would blow over. Either PIPEDA would be declared to be unconstitutional and business would go back to normal or business and healthcare would come to a grinding halt. None of that came to pass. PIPEDA and the PIPAs are completely manageable. Very few reputable companies had much to change; mostly, compliance was putting policies, procedures and accountability in place to support their existing practices. Some had to fine-tune their practices and I'm generally impressed with the number of companies that are recognizing privacy issues and are seeking professional counsel.

I expect the year ahead will also be interesting on the privacy front. PIPEDA will come under review in the federal Parliament and there is much work to be done to clarify the law and make it more manageable. For consumers, privacy continues to be a strong priority and the growth of identity theft makes their concerns all the more acute. The PIPEDA review will bring that concern front and centre. I'm waiting to see whether the legislators will take any action to address this. Some provinces, such as Ontario, may look again at provincial privacy laws of general application. Other provinces may follow Ontario's lead and implement health privacy laws that will harmonize the rules in the public and private healthcare settings. And I am sure that we'll continue to hear about more and more privacy/security breaches, mostly from the US states where laws require disclosure.

For this blog, my plan is to keep it up. The blog's reason for being is to be a useful resource on privacy developments in Canada and elsewhere. I'd be delighted to hear what changes readers would like to see in the year ahead to make it more useful. Please feel free to leave a comment or drop me a note by e-mail: david.fraser@mcinnescooper.com.

Also a special thank-you to the many people over the last two years who have sent me links to privacy-related articles and have pointed out typos.

Happy new year!

Labels: identity theft, information breaches, pipa, pipeda review, privacy