Today, at the International Association of Privacy Professionals Canadian conference, the Canadian Privacy Commissioner unveiled her proposals for significant privacy law reforms. Some of this is not very surprising, but there were some unexpected elements.
The full release is here: New privacy challenges demand stronger protections for Canadians - May 23, 2013 and her speech to the conference can be found here: Looking back – and ahead – after a decade as Privacy Commissioner of Canada. The full discussion paper of her proposals is here: The Case for Reforming the Personal Information Protection and Electronic Documents Act.
In a nutshell, here's what she is calling for along with some of my unsolicited comments:
Stronger enforcement powers: Options include statutory damages to be administered by the Federal Court; providing the Privacy Commissioner with order-making powers and/or the power to impose administrative monetary penalties where circumstances warrant. <- It is very interesting that she is putting forward a range of options rather than advocating one position.
Breach notification: Require organizations to report breaches of personal information to the Privacy Commissioner and to notify affected individuals, where warranted. Penalties should be applied in certain cases. A recent poll found that virtually all Canadians – 97 percent – would want to be notified of a breach involving their personal information. <- This is a bit of a no-brainer, as long as there is no requirement to notify of inconsequential breaches that would have no effect on individuals.
Increase transparency: Add public reporting requirements to shed light on the use of an extraordinary exception under PIPEDA which allows law enforcement agencies and government institutions to obtain personal information from companies without consent or a judicial warrant for a wide range of purposes, including national security; the enforcement of any laws of Canada, provinces or foreign countries; or investigations or intelligence-gathering related to the enforcement of these laws. <- I think this is a great idea. Leaders in transparency, such as Google, are already providing information such as this and Canadians should know to what extent governments and law enforcement are seeking information without a warrant.
Promote accountability: Amend PIPEDA to explicitly introduce “enforceable agreements” to help ensure that organizations meet their commitments to improve their privacy practices following an investigation or audit. <- This is an interesting proposal. I think I'll need to reflect on it a bit more before arriving at an opinion.
I expect all of this will fall on deaf ears in Ottawa, as the federal government has no appetite for any privacy law reforms.