On May 23rd, 2013, the Office of the Privacy Commissioner of Canada (“OPC”) released a report entitled “ The Case for Reforming the Personal Information Protection and Electronic Documents Act” (the “Report”). The Report proposes a number of changes to the Act by identifying four main “pressure points”.
The Commissioner’s thesis is that the Personal Information Protection and Electronic Documents Act (“PIPEDA”) is currently outdated and ineffective due to the rapid changes in technology. Information technology currently allows organizations to collect, store, and use Canadians’ personal information in order to create new products and services. This poses several challenges with respect to the security of data but also with respect to the way this data is handled by those organizations. Risks of theft and hacking are increasing and putting Canadians in danger.
The Report calls for the following four key changes to PIPEDA:
1. Enhancing the enforcement powers of the Commissioner
Under the current version of the Act, the Commissioner’s powers are limited to those of an administrative investigator. The Commissioner has the power to initiate investigation of breaches of PIPEDA and to name and shame organizations who contravene the Act. No direct enforcement powers exist in order to enable the Commissioner to incentivize protection of personal data. The Report makes it clear that under the existing powers accorded to the Commissioner, its position becomes more and more deficient in protecting Canadians’ personal information in the digital era. The Commissioner makes three suggestions in that respect:
- Introduce statutory damages which will be administered by the Federal Court when certain PIPEDA provisions are being breached.
- Give the Commissioner order-making powers. The Commissioner would be able to order organizations that contravened certain PIPEDA provisions to comply with the Act. In the event of an organization’s failure to obey the order, the Commissioner could have it enforced by the Federal Court as its own order under the court's contempt powers.
- Give the Commissioner the power to impose Administrative Monetary Penalties (“AMPs”). The purpose of the AMPs would be to encourage compliance with PIPEDA and would not have a punitive character.
2. Obligation to report breaches and notify affected individuals
The Commissioner argues that under PIPEDA, organizations are not obliged to report any breaches, further risking potentially affected individuals. Further, the Commissioner reports that the current law permits inequality among the organizations; some organizations report breaches voluntarily and as a result will incur damage to their reputation, while others may purposely fail to report in an effort to avoid such penalties. The Report calls for a mandatory reporting and notification system that would require these groups to report any breaches to the Commissioner and notify the affected individuals.
3. Obligation to report unlawful disclosure to authorities
Section 7(3) (c.1) of PIPEDA currently allows organizations to disclose personal information to governmental authorities and institutions for the purpose of enforcing any law of Canada. The Commissioner argues that the present system lacks transparency since there is no available data regarding how often this provision is used to access information and what kind of personal information is being provided to governmental authorities. Therefore, the Commissioner recommends that a more transparent regime be established. It suggests that organizations be required to publicly report, on a quarterly basis, the frequency of disclosures being made to government institutions without the knowledge or consent of the individuals affected and without judicial warrants.
4. Demonstrating accountability; Incorporation of “enforceable agreements”; and Broadening the scope of Federal Court review
The Report argues there is a lack of resources with respect to monitoring the compliance of organizations. The Commissioner recommends the modification of the accountability principle so that a requirement to demonstrate accountability be put in place. Organizations should be able to show that they have a modern and functioning privacy program. Further, the Report argues for the introduction of the concept of “enforceable agreements”. Under this system, an organization that has been put under investigation would have to agree, at the end of the investigation, to comply with the Commissioner’s recommendations and to demonstrate such compliance within a specific period of time. An organization’s failure to do so would result in action taken by the OPC. Lastly, the Commissioner calls for the expansion of the scope of the provisions under section 14 that the Federal Court can review.
Comments and Analysis
The world is becoming all-the-more interconnected through the use of social media, and as a result, we are developing into a virtual society in which the sharing of personal information is the norm and not the exception. At the same time, people demand more transparency and accountability with respect to the handling of their personal data by private and public organizations. The way this data is used has so far been, intentionally or not, vague with respect to privacy, and the majority of public and private organizations’ attempts to rectify the problem have been superficial.
Bill C-12, the government’s own bill to amend PIPEDA, sits stagnant in Parliament for the time being. Under this Bill, businesses can decide whether or not to inform affected individuals and report to the Commissioner only when a breach is considered material. Furthermore, the Commissioner only has the power to investigate complaints. Evidently, Ottawa is reluctant to move any privacy reform forward.
The Commissioner’s report is a significant start for serious reform because it openly addresses major problems in Canada’s data protection legislation. The recommendations found in the report are not novelties. They exist and have been implemented in other legislative texts in some Canadian provinces and abroad. Expanding the powers of the Commissioner and requiring businesses and organizations to report security breaches would promote the aims of PIPEDA and make it an effective legislative tool in the advancement of privacy protection in the era of “Big Data”. It remains to be seen whether Parliament will take any further action to translate the Commissioner's recommendations into law.
Georgios Andriotis is an IPilogue Editor and a law student at Université de Montréal.