Committee Recommends Amendments to Canada’s Federal Privacy Legislation
July 31, 2007
On May 2, 2007, the Standing Committee on Access to Information, Privacy and Ethics presented to the House of Commons its report arising from the statutory review of the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
The Committee’s recommendations reflect extensive consultations with various stakeholders and mostly represent a fine-tuning of PIPEDA rather than wholesale amendments. As noted by the Committee, much of the fine-tuning is premised on the need for greater harmonization between PIPEDA and the laws of the provinces of Quebec, Alberta and British Columbia, all of which have substantially similar private-sector data-protection laws. Various stakeholders’ submissions to the Committee argued that British Columbia’s and Alberta’s "‘second generation’ privacy laws provide a more practical and updated reflection of privacy protection today."
The following are some highlights from the recommendations:
1. Amend PIPEDA to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Federal Privacy Commissioner.
2. Include a provision permitting organizations to collect, use and disclose personal information without consent for the purposes of a business transaction.
3. Include a definition of ‘work product’ that is explicitly recognized as not constituting personal information.
4. Clarify the form and adequacy of consent required by PIPEDA, distinguishing between express, implied and deemed/opt-out consent.
5. Incorporate amendments to address the collection, use and disclosure of personal information in the employment context.
6. No amendments should be made to PIPEDA with respect to transborder flows of personal information.
7. The Privacy Commissioner should not be granted order-making powers at this time.
8. No amendment should be made with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest.
McCarthy Tétrault Notes:
Many of the changes recommended by the Committee will be welcomed by organizations that are subject to PIPEDA’s privacy protection requirements.
First, many of the proposed changes would address compliance obligations that have proven unwieldy to organizations that are subject to PIPEDA. One example is the failure of PIPEDA to permit the collection, use and disclosure of personal information about employees without consent, as is required to manage the employment relationship. The absence of such an exemption to the consent requirements of PIPEDA has proven a challenge for federally regulated employers.
Second, many of the amendments would have the practical effect of harmonizing PIPEDA with the current provincial privacy legislation (such as British Columbia’s or Alberta’s Personal Information Protection Act or Québec’s An Act Respecting the Protection of Personal Information in the Private Sector). For example, introduction of an exemption for ‘work product information’ and further definition of PIPEDA’s exemption for business contact information would enhance the ability of organizations that operate in multiple provinces to implement consistent privacy practices and processes throughout Canada.
Many organizations will also welcome the Committee’s recommendation that no amendments be made to PIPEDA with respect to transborder flows of personal information. Consistent with the recommendations of the Privacy Commissioner of Canada, the Committee noted that "[PIPEDA] already contains sufficient accountability and allows for the necessary flexibility for businesses to ensure that personal information is privacy protected when it crosses our borders," and encouraged the Commissioner to continue providing guidance to organizations regarding the implementation of appropriate safeguards.
Another hot topic the Committee considered was whether PIPEDA should be amended to expressly require that organizations report breaches of privacy — that is, in circumstances in which personal information under the control of the organization has been subject to unauthorized access or use. Despite the potential drain on resources that such a mechanism could put on the Commissioner’s office and despite the lack of power to make binding orders, the Committee recommended a requirement that organizations report certain defined breaches to the Commissioner. The Commissioner would in turn determine whether affected individuals and others should be notified and, if so, in what manner. This approach differs from that taken in other jurisdictions, including many US states, which require direct notification of the affected individuals in the event of certain breaches.
Although it will be some time before the Committee’s recommendations translate into amendments to PIPEDA, organizations should at the very least revisit their internal privacy processes to ensure that an internal escalation mechanism has been implemented. This mechanism should include requiring service providers to notify of breaches relating to personal information that has been provided to the service providers by the organization and ensuring that IT staff, risk management professionals, human resources personnel and other relevant individuals are prepared to respond to breaches.