Thursday, March 14, 2013

Private member's bill introduced to give Privacy Commissioner order-making powers

On February 26, 2013, Charmaine Borg introduced Private Member’s Bill C-475 (41-1), an Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), to the House of Commons. Bill C-475 is expected to see its first hour of debate at Second Reading on Monday, April 15th, 2013 and a vote on second reading is expected before the end of May.
The Bill proposes to amend PIPEDA to:
  1. Require organizations to notify the Privacy Commissioner of any breach to the security of personal information where there is a possible risk of harm to the affected individual(s);
  2. Allow the Privacy Commissioner to order organizations to notify affected individual(s) of a data breach if an appreciable risk of harm is found;
  3. Create order-making powers to be used by the Privacy Commissioner to enforce the Personal Information Protection and Electronic Documents Act in the event that an organization mishandles the personal information of Canadians ; and
  4. Empower the Federal Court to impose fines in cases of non-compliance with an enforcement order issued by the Privacy Commissioner.
I'm in favour of breach notification as long as the threshold is high enough to prevent "false positives" but low enough so that individuals are alerted when the breach is likely to actually affect them. I'm not in favour of giving the Privacy Commissioner general order making powers, particularly in the absence of completely revising the structure of the office to ensure that the somewhat contradictory powers of advocate, cop, prosecutor, judge, jury and executioner are not given to the same person.
While private members' bills historically don't go anywhere, it will be interesting to watch the debate over this one.

No comments: