Tuesday, May 25, 2010

PIPEDA amendments will expand private sector "collaboration" with police, permit disclosure of personal information

With today's proposed amendments to the federal private sector privacy law, most of the attention has been focused at "breach notification". But there's another very important amendment that seems to be a little below the radar.

On this blog, I've had a lot to say about cooperation between the private sector and law enforcement/national security agencies. One of the problems that telcos in particular have been struggling with is how to deal with warrantless demands for customer information. Section 7 of PIPEDA allows limited disclosure without consent to law enforcement/national security agencies where they have "lawful authority" to request the information. Courts have ruled that an active police investigation is not "lawful authority", so a disclosure would be unlawful.

It appears that the bill introduced today to amend PIPEDA will expand the ability for organizations to provide customer information to authorities without a warrant. (I haven't seen the text of the bill yet.)

Here's the official word from the Industry Canada media release

Industry Canada Site - Government of Canada Moves to Enhance Safety and Security in the Online Marketplace

Supporting Effective Law Enforcement

Another key thrust of the Bill is supporting effective law enforcement. The Government considers the safety and security of Canadian citizens to be of utmost importance. Proposed amendments will reaffirm the view that the information needs of law enforcement and security agencies can be met while respecting the privacy rights of Canadians. Proposed amendments would make it clear that organizations may collaborate with government institutions, such as law enforcement and security agencies that have requested personal information, in the absence of a warrant, subpoena, or order. To avoid jeopardizing investigations, new provisions would prohibit organizations from notifying an individual about the disclosure of their personal information to law enforcement and security agencies where the government institution to whom the information was disclosed objects.

I expect that the amendments will be permissive, in that they will allow a custodian of information to pass personal information to the police rather than require it. But for many, that's a distinction without a difference as I've often seen police take the position that if privacy legislation would permit it, it's almost obligatory.

Update: Here is the First Reading text of Bill C-29.

No comments: