On May 23, 2013, the Office of the Privacy Commissioner of Canada (the “Privacy Commissioner”) has released a position paper (“Position Paper“) calling for substantial changes to the Personal Information Protection and Electronic Documents Act(“PIPEDA”).
The Privacy Commissioner argues that PIPEDA is currently insufficient to meet the challenges posed by the advent of technology that allows organizations to collect, use, and disclose an unprecedented amount of data which include personal information (“Big Data”). Big Data poses challenges both with respect to the security of Canadians’ data, and the manner in which entities use that data (especially businesses looking to use that data to increase their earnings).
There have been attempts to amend PIPEDA in the past. Bill C-12, which has gone through First Reading in the House of Commons, would amend PIPEDA to, among other things, require organizations to report material breaches of security safeguards involving personal information, and require organizations to notify the affected individual if the breach creates a real risk of significant harm. The Privacy Commissioner, however, has argued in the past that Bill C-12 is “behind the times” and does not sufficiently address the challenges from massive aggregation of personal data.
The Privacy Commissioner’s Position Paper outlines four main recommendations for changes to PIPEDA:
Expand the Commissioner’s powers to enforce PIPEDA: Currently, the Commissioner is an administrative investigator that has the power to investigate breaches, and to encourage compliance with PIPEDA by “naming and shaming” respondent organizations. The Commissioner argues that her current powers are insufficient to incentivize protection of personal information in the age of Big Data. The position paper makes three suggestions for additional powers:
- Introduce statutory damages for contraventions of certain PIPEDA provisions. The damages would be administered by the Federal Court and would not require the plaintiff to prove actual loss;
- Give the Privacy Commissioner power to order organizations to comply with PIPEDA. An organization’s failure to comply could result in the organization being held in contempt of court;
- Give the Privacy Commissioner the power to impose administrative monetary penalties (“AMPs”) where appropriate. The purpose of AMPs is not punitive, but rather to deter future contraventions of PIPEDA.
- Mandatory breach reporting and notification: The Commissioner argues that organizations should be required to report breaches of personal information to the Commissioner and to notify affected individuals, where warranted, so that appropriate mitigating measures can be taken in a timely manner. The Commissioner notes that the current state of the law incentivizes organizations to hide data breaches in order to preserve their reputation. In the United States, most states have already passed mandatory notification legislation.
- Mandatory reporting on warrentless disclosure to authorities: Currently, section 7(3)(c.1) of PIPEDA allows organizations to disclose personal information to federal government authorities for the purpose of enforcing Canadian laws. The Commissioner currently has no way of knowing how frequently this provision is used, and how much information is going to government authorities. The Commission argues that organizations should be required to publicly report on the number of disclosures they make to law enforcement without individuals’ knowledge or consent and without judicial warrant.
- Require organizations to demonstrate accountability; introduce “enforceable agreements”; and expand scope of Federal Court review: The Commissioner notes that many businesses simply refuse to comply with privacy legislation, and the Commissioner lacks the resources to monitor and analyze all organizations. The Commissioner argues that a requirement to demonstrate accountability incentivizes an organization to “walk the talk” with respect to protecting private data. The Commissioner wants to see the introduction of “enforceable agreements”, in which an organization, at the end of an investigation, would agree to comply with the Commissioner’s recommendations and to demonstrate such compliance within a set time period, barring which the Commission would have clear options for recourse. The Commissioner also suggests expanding the scope of the types of matters that the Federal Court can review.
The above recommendations are only recommendations and have not been adopted into legislation or even proposed legislation.
Jennifer Stoddart has been a vocal and pro-active Privacy Commissioner, frequently appearing in the media and making generous use of Twitter. As her tenure approaches its end in December, her anticipation of the problems posed by Big Data could be a significant part of her legacy.