10 Ways Canada’s Consumer Privacy Protection Act Will Impact Privacy PracticesNovember 19, 2020
By Sarah Anderson Dykema, CIPP/C, Lawyer at McInnes Cooper,
David Fraser, Privacy Lawyer | Partner at McInnes Cooper
On November 17, 2020, the federal government proposed dramatic changes to how Canada will enforce privacy law, ushering in a new legal regime to protect individuals’ personal information – and to regulate organizations’ privacy practices. Bill C-11: the Digital Charter Implementation Act creates the Consumer Privacy Protection Act (CPPA) to replace the federal Personal Information and Electronics Documents Act (PIPEDA), and codify in law organizations’ obligations respecting the collection, use and disclosure of personal information rather than merely rely on the Canadian Standard Association (CSA) Model Code. The federal government says it estimates 18 months for the CPPA to go through the legislative process and become law, though this is always difficult to gauge. It might be derailed by, for example, a federal election or the ongoing COVID-19 Pandemic – but it might not.
It’s still early days, but if the CPPA (or some form of it) passes, it will take organizations time to put the necessary compliance processes in place. Here are 10 ways the Consumer Privacy Protection Act will impact organizations’ Canadian privacy practices.
1. Big Penalties. There will be significant penalties for non-compliance with the CPPA. It authorizes administrative monetary penalties and fines of up to 5% of global revenue or $25 million, whichever is higher, for the most serious offences. Currently, PIPEDA only authorizes penalties for breach of the Digital Privacy Act, and those are markedly lower than those under the CPPA: the maximum fine for breaching the Digital Privacy Act is $100,000 per violation (though if there were multiple violations, which would not be uncommon, the fines could add up).
2. Privacy Commissioner Powers. In a move away form the traditional ombudsman model, the CPPA gives the federal Privacy Commissioner broad power to make orders against organizations and to recommend penalties to a new “Personal Information and Data Protection Tribunal”. Under PIPEDA, the Privacy Commissioner only has the power to make recommendations to a breaching organization.
3. New Tribunal. A new “Personal Information and Data Protection Tribunal” will determine and levy any penalties – which will have the effect of a court order – and hear appeals from orders of the Privacy Commissioner.
4. Global Application. The new law takes an expansive approach to applicability, expressly applying to all personal information an organization collects, uses or discloses, including interprovincially or internationally. This reflects the increased digitization and globalization of the global economy, which knows no border, and which the COVID-19 Pandemic has accelerated.
5. New Right of Action. It creates a new privacy breach legal claim. Where the Privacy Commissioner decides an organization violated an individual’s privacy under the CPPA, and the Personal Information and Data Protection Tribunal upholds that finding, that individual can sue the organization (within 2 years) for compensation for the violation.
6. Data Portability & Deletion. It provides for new individual rights of data portability and deletion. Consumers can require an organization to transfer their data to another organization (subject to regulations that aren’t yet available), likely to be a boon to open banking. Individuals can also require that an organization delete the personal information it’s collected about them, subject to some limitations, in what appears to be a limited form of the “right to erasure”.
7. Algorithmic Transparency. It requires algorithmic transparency. Consumers would now have the right to require an organization to explain how an automated decision-making system made a prediction, recommendation or decision.
8. Consent Exceptions. It “simplifies” consent requirements for organizations by making some (potentially broad) exceptions to when an organization must obtain an individual’s consent to the collection, use or disclosure of the individual’s personal information, such as where the use of personal information is core to the delivery of a product or service. This could impact, for example, the information an organization must communicate in a privacy policy.
9. Data De-Identification. It makes new rules around the de-identification of data – including allowing for organizations to use an individual’s personal information without their consent in order to de-identify their data, but appears to limit other uses of de-identified data. Under certain circumstances, organizations can also disclose de-identified data to public entities for socially beneficial purposes.
10. Codes of Practice. It introduces the concept of “Codes of Practice”. The CPPA allows private organizations to establish a “code” and internal certification programs for complying with the law that the Privacy Commissioner will approve. Once approved, the “code” will effectively establish the organization’s legal compliance obligations.
Thursday, November 19, 2020
10 Ways Canada’s Consumer Privacy Protection Act Will Impact Privacy Practices
Friday, January 15, 2016
The Digital Privacy Act: New and upcoming changes to PIPEDA
I was invited this week to present a webinar to the Conference Board of Canada's Council of Chief Privacy Officers on the current and upcoming changes to Canada's privacy law as a result of the Digital Privacy Act (Bill S-4). The changes are pretty significant so I thought it would be worthwhile to share the presentation more broadly. The materials cover most of the major changes, including enhanced consent, business transactions, data breaches, record keeping and compliance agreements.
Thursday, June 18, 2015
Digital Privacy Act (Bill S-4) now (partially) in force
Bill S-4, the Digital Privacy Act, which amends PIPEDA, has mostly been proclaimed into force by royal assent.
Notably, the most important part -- breach notification -- depends on regulations that have not been released, so that part is still not effective.
See: New Law to Protect the Personal Information of Canadians Online - Canada News Centre.
New Law to Protect the Personal Information of Canadians Online
Government of Canada's Digital Privacy Act comes into force
June 18, 2015 — Ottawa — Industry Canada
As Canadians increasingly turn to the Internet to conduct their day-to-day activities such as online shopping and banking, they need to have confidence that their personal information is protected. That is why the Government of Canada has enacted the Digital Privacy Act, which modernizes Canada's private sector privacy law. It sets clear rules for how personal information can be collected, used and disclosed.
Today, Industry Minister James Moore announced that the Digital Privacy Act has received Royal Assent and is now law.
Under the Digital Privacy Act:
Quick facts
- Organizations are required to inform consumers when their personal information has been lost or stolen, ensuring that consumers can act to protect themselves when they shop online. Companies that cover up a data breach, or that deliberately fail to notify affected individuals and the Privacy Commissioner, could face fines of up to $100,000.
- Companies need to use clear, simple language when communicating to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences of providing their personal information online.
Common sense changes are being made that recognize the need for businesses to use personal information to conduct normal everyday activities. Barriers are also being removed to enable the sharing of information when it is in the public interest, such as to detect financial abuse or to communicate with the parents of an injured child.
- The Privacy Commissioner of Canada has improved powers to enforce compliance, making the Office of the Privacy Commissioner more flexible and effective in protecting the rights of Canadians in the changing digital world.
Quotes
- Ensuring Canadians are protected online is a key element of Digital Canada 150, the Government's plan to take full advantage of the economic opportunities of the digital age.
- All new measures under the Digital Privacy Act are now in force, except for the data breach requirements. The data breach rules will come into force once regulations outlining data breach requirements are completed. The government will work closely with stakeholders and the Office of the Privacy Commissioner in developing the regulations.
"The Digital Privacy Act will protect the personal information of Canadians online. It will hold companies to account when Canadians' personal information has been lost or stolen and it will also give the Privacy Commissioner new powers to help enforce the law. Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats." – James Moore, Minister of Industry
"Breach notification and voluntary compliance agreements will strengthen the framework that protects the privacy of Canadians. Breach reporting requirements will act as an incentive for businesses to take the security of personal information even more seriously and will also allow individuals to take steps to protect themselves following a breach." – Daniel Therrien, Privacy Commissioner of Canada
Tuesday, April 08, 2014
Updates to Canadian federal privacy law tabled in the Senate
As expected, the government has tabled amendments to the Personal Information Protection and Electronic Documents Act, but this time in the Senate as Senate Government Bill - S-4.
The highlights are breach notification and an exception to the consent rule for business transactions. I'll have more to say once I've given it a thorough going-over. Watch this space.
The Bill is sometimes hard to follow with the amendments out of place and out of context. So, for your handy reference, here is a redline of PIPEDA with the first reading amendments from Bill S-4 in place.
Thursday, March 14, 2013
Private member's bill introduced to give Privacy Commissioner order-making powers
The Bill proposes to amend PIPEDA to:
- Require organizations to notify the Privacy Commissioner of any breach to the security of personal information where there is a possible risk of harm to the affected individual(s);
- Allow the Privacy Commissioner to order organizations to notify affected individual(s) of a data breach if an appreciable risk of harm is found;
- Create order-making powers to be used by the Privacy Commissioner to enforce the Personal Information Protection and Electronic Documents Act in the event that an organization mishandles the personal information of Canadians ; and
- Empower the Federal Court to impose fines in cases of non-compliance with an enforcement order issued by the Privacy Commissioner.
While private members' bills historically don't go anywhere, it will be interesting to watch the debate over this one.
Thursday, December 13, 2012
Privacy Commissioner calls for stronger enforcement powers
Her prepared statement is on her website ( Statement: Second appearance before the House of Commons Standing Committee on Access to Information, Privacy and Ethics on Privacy and Social Media - December 11, 2012).
In the statement, she suggests that the current model is not working and that her office can handle the role of "judge, jury and executioner." I didn't see any detail on how it is not working. The study that she commissioned on whether the ombudsman model is working suggested that the problem is lack of compliance by small and medium sized businesses, but her comments were directed at "internet giants".
Regardless, we are going to hear a lot more of this in the coming years.
Tuesday, October 23, 2012
Bill C-12, PIPEDA amendments referred to committee (see correction)
Order Paper and Notice Paper No. 167C-12 — September 29, 2011 — The Minister of Industry and Minister of State (Agriculture) — Second reading and reference to the Standing Committee on Industry, Science and Technology of Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act.
Correction: Apparently it has not been referred to committee yet. It has been "on the order paper" to do so for some time, but the status of C-12 has not changed. Thanks to Jason Kee for pointing this out.
Wednesday, June 06, 2012
Why the heel-dragging on privacy law revision?
I was interviewed yesterday by Sarah Schmidt of Postmedia News about why the Harper Government appears to be dragging their heels on implementing Bill C-12 or kicking off the next mandatory five year review of PIPEDA.
Her interview with the Commissioner, Jennifer Stoddart, and me also focused on the Commissioner's apparent abandonment of the ombudsman model in favour of the ability to issue orders and to levy fines.
Feds dragging their heels on fixing privacy law: StoddartOTTAWA — Canada's privacy watchdog says she's "very, very disappointed" by the federal government's failure to update a law meant to protect the personal information of consumers.
Jennifer Stoddart's annual report on the private-sector privacy law, tabled Tuesday in the House of Commons, highlights how evolving technologies are creating new privacy risks for youth.
The report also flags how Parliament is required, every five years, to review the Personal Information Protection and Electronic Documents Act (PIPEDA), but the latest review, which was scheduled for 2011, but has yet to be launched. Meanwhile, amendments to the law, tabled last fall, are outdated already, says the report calling for new powers for the Office of the Privacy Commissioner.
"I am very, very disappointed that we're not moving ahead with privacy reform issues. They're long overdue," Stoddart said in an interview after the tabling of the report.
Under the current law, Stoddart has no power to impose any fines and companies are not required to report breaches to her office.
The proposed amendments tabled last fall do not include powers to impose fines, but do include a provision for mandatory reporting to the privacy commissioner if a company experiences a material breach. The bill, known as C-12, has not moved beyond first reading, which took place on Sept. 29, 2011.
"What is put there, I think, was current about three years ago, but in the meantime the world has moved on. I really think, like in most jurisdictions now, we need some sanctions for egregious data breaches." said Stoddart.
"We have to have powers that will be respected by these huge multinational corporations that are doing business online and you need a strong voice to be heard by them."
Pointing to the fact that the government's anti-spam law is still not in effect, despite its passage last year, Stoddard added: "There's a slowness that is hard to understand in this digital age."
David Fraser, a Halifax-based lawyer specializing in privacy laws, said it's "puzzling" the recommendations arising from the 2006 PIPEDA review process have not been enacted.
"They really come up with something that by all measures is a bit of a no-brainer."
Fraser said the government's decision to not begin the second PIPEDA review in 2011 makes more sense if the Tories aren't interested in discussing Stoddart's push for more powers, given how "significant" the proposal is.
"During the last review, the privacy commissioner was fine with being an ombudsman, not have order-making powers and using persuasiveness and co-operation and collaboration to get companies to change their practices," said Fraser.
"More recently, and including in her annual report, she's making noises about looking for additional powers, particularly the ability to levy fines and perhaps issue orders. And that is a significant change — not only a significant change in the approach of her office, which has consistently advocated the ombudsman position for 15 years, but it would make a significant change in the legislation. It may not be a discussion the government wants to have right now," added Fraser, who leads McInnes Cooper's Privacy Practice Group.
Industry Minister Christian Paradis declined to answer questions put to him about why C-12 has stalled in Parliament, the delay in the 2011 PIPEDA review, and Stoddart's push for more powers.
In a statement, Paradis said the government is "building a modern legal framework that will enhance consumer confidence in the online marketplace and support the growth of Canada's digital economy. The Personal Information Protection and Electronic Documents Act underwent a review that led to the drafting of Bill C-12, which is currently before Parliament."
Wednesday, December 07, 2011
Bill C-12: Redline of proposed amendments to PIPEDA
Later today, I'm going to be giving a presentation with Lisa Lifshitz from Gowlings on the proposed amendments to the Personal Information Protection and Electronic Documents Act (AKA C-29), which are stagnating at first reading stage in Parliament. I'll be referring to the redline that I've prepared which shows the amendments in place and is a handy reference. Anyone who wants a copy is welcome to it as well: PIPEDA Amdended to include FISA, C-29 and C-12 (Google Doc).
Thursday, November 24, 2011
Bill C-12 and “lawful authority” under PIPEDA
Phillipa Lawson has a very well thought out post over at Slaw on "lawful authority" under PIPEDA and the ability of businesses to share personal information with law enforcement. Check it out: Bill C-12 and “lawful authority” under PIPEDA — Slaw.
Thursday, September 29, 2011
Government reintroduces PIPEDA amendments
This just in:
The Digital Economy in Canada - Reintroduction of amendments to the Personal Information Protection and Electronic Documents ActOn September 29,2011, the Government of Canada reintroduced enhancements to private sector privacy legislation in a bill seeking to amend the Personal Information Protection and Electronic Documents Act (PIPEDA).
This Bill, entitled the Safeguarding Canadians' Personal Information Act, implements the government's October 2007 Response to the Report of the Standing Committee on Access to Information, Privacy and Ethics arising from the first Parliamentary review of the Act. The Government Response addressed each of the 25 recommendations contained in the Committee's report and committed to amending the Act in agreement with many of the Committee's recommendations.
Bill C-12 includes provisions to better protect and empower consumers, clarify and streamline rules for business, and enable effective investigations by law enforcement and security agencies. Canada already has a solid legislative framework in place to ensure the protection of personal information. The majority of the proposed amendments seek to "fine-tune" the legislation and update it to reflect changes in markets and technology.
Wednesday, March 23, 2011
Privacy-related bills to die on the order paper if Canadian election called
| C-29 | An Act to amend the Personal Information Protection and Electronic Documents Act (Safeguarding Canadians’ Personal Information Act) | First Reading in the House of Commons (May 25, 2010) |  |
| C-50 | An Act to amend the Criminal Code (interception of private communications and related warrants and orders) (Improving Access to Investigative Tools for Serious Crimes Act) | First Reading in the House of Commons (October 29, 2010) | |
| C-51 | An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act (Investigative Powers for the 21st Century Act) | First Reading in the House of Commons (November 1st, 2010) | |
| C-52 | An Act regulating telecommunications facilities to support investigations (Investigating and Preventing Criminal Electronic Communications Act) | First Reading in the House of Commons (November 1st, 2010) | |
Wednesday, December 30, 2009
Prime Minister prorogues parliament, privacy legislation in limbo
It's official, the Prime Minister is proroguing parliament until the beginning of March: CBC News - Politics - PM seeks Parliament shutdown until March. (Never mind that they've been on vacation since November.)
This means that a number of privacy-affecting bills are being forced into a coma. The list includes:
- Bill C-27 - Electronic Commerce Protection Act (Second Reading in the Senate and Referred to Committee on December 15, 2009) (aka Anti-spam Act);
- Bill C-46 - Investigative Powers for the 21st Century Act (Referred to Committee on October 27, 2009);
- Bill C-47 - Technical Assistance for Law Enforcement in the 21st Century Act (Referred to Committee on October 29, 2009);
The media is also reporting that, in the meantime, Harper plans to fill five vacant senate seats, which will give the Conservatives the majority they need to ensure safe passage of their legislation.
Friday, January 02, 2009
The Canadian Privacy Law Blog is Five!
Since then, we have seen dramatic changes in privacy throughout the world: Identity theft is on the rise; there have been literally thousands of data breaches exposing the personal information of millions of people; governments are looking for easier access to personal information; video surveillance is more widespread; more personal information is generated digitally and aggregated in private hands.
And in the past year specifically, things have remained interesting on the privacy front. We've seen debate over changes to PIPEDA without anything definitive coming from the mandatory five year review. We've also seen arguments put forward to reform the public sector Privacy Act. Focus has also been drawn to the increasing practice of examining laptops at US border crossings. Litigation between Viacom and Google has raised awareness of log information that's often retained by internet companies. And Google has also been sued by a couple claiming their privacy has been violated by presenting pictures of their house in Google Street View. But in the last year, the one big privacy story that was supposed to have the largest impact on Canadians was the implementation of the National Do Not Call List. Whether it has, in fact, had an impact is the subject of debate.
I'd like to thank the many thousands of readers of the blog for visiting this site and thanks to those who have contacted me with comments, compliments, suggestions and links to interesting news. It's been a pleasure to write and I plan to keep it going as long as there's interesting privacy news to report.
Birthday cake graphic used under a creative commons license from K. Pierce.
Saturday, April 26, 2008
Feds to leave disclosure of data security breaches to businesses: legislative plan
One thing that was relatively consistent in the submissions at PIPEDA's five year review was to follow in the footsteps of more than half the US states to require notification of security and privacy breaches. Canwest is reporting on leaked draft legislation which will surely disappoint many in the privacy community. In effect, there is no mandatory reporting. Businesses get to determine whether there is a "high risk of significant harm" and only then do they need to report the breach to consumers. Not reporting has no consequences. See: Feds to leave disclosure of data security breaches to businesses: legislative plan.
Saturday, November 10, 2007
PIPEDA consultation marches onward
In case you haven't been consulted enough ...
The Government of Canada issued its response to the PIPEDA review report from the Standing Commitee on Access to Information, Privacy and Ethics, agreeing in parts and disagreeing in others with the committee's recommendations. So the government is now seeking public input on the topics that were relatively well canvassed before the parliaentary commitee.
If you have additional thoughts, you have until January 15 to make them known to Industry Canada.
Canada GazetteDEPARTMENT OF INDUSTRY
IMPLEMENTATION OF THE GOVERNMENT RESPONSE TO THE FOURTH REPORT OF THE STANDING COMMITTEE ON ACCESS TO INFORMATION, PRIVACY AND ETHICS ON THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT
Deadline for submission of views: January 15, 2008
On October 17, 2007, the Government of Canada tabled in Parliament its response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). In support of the Minister of Industry's responsibility for PIPEDA, Industry Canada is seeking the views of Canadians on a number of issues related to the response, including proposals for legislative amendments to PIPEDA.
PIPEDA, which came into force on January 1, 2001, sets rules for the collection, use and disclosure of personal information in the course of commercial activity in Canada. In a modern, information-based economy, an effective and efficient model for the protection of personal information is vitally important to ensure that the privacy of Canadian consumers remains protected. The ETHI Report contains 25 recommendations for how PIPEDA could be fine-tuned to ensure that the Act continues to achieve this objective. The government response expresses agreement with a majority of the Committee's recommendations and reflects the view held by a number of stakeholders that PIPEDA is working well and is not in need of dramatic change at this time. However, a small number of specific amendments may be warranted, and this consultation process provides Canadians with the opportunity to present further information, advice and views regarding the implementation of key proposals for legislative change.
In particular, Industry Canada is seeking views on the implementation of a data breach notification provision in PIPEDA (ETHI recommendations 23, 24 and 25). Such a provision is an important component of a comprehensive strategy to address the growing problem of identity theft. The Government proposes that the Privacy Commissioner be notified of any major breach of personal information, and that affected individuals and organizations be notified when there is a high risk of significant harm resulting from the breach. Ultimately, a requirement for data breach notification should encourage organizations to implement more effective security measures for the protection of personal information, while enabling consumers to better protect themselves from identity theft when a breach does occur. Industry Canada is seeking input in developing the parameters of a data breach notification provision, including, but not limited to, questions of timing, manner of notification, penalties for failure to notify, the need for a "without consent" power to notify credit bureaus, and appropriate "thresholds" for when organizations should be required to notify.
Industry Canada is also seeking further views on the issue of "work product" information (ETHI recommendation 2). The question of whether information created by individuals in their employment or professional capacity should be explicitly excluded from the definition of personal information has been a matter of significant debate. Industry Canada would therefore appreciate a wider range of views on whether an amendment to PIPEDA is needed, and, if so, how this should be implemented.
Furthermore, in order to ensure that PIPEDA is consistent with the needs of Canadian law enforcement agencies, the Government intends to clarify the meaning of lawful authority in PIPEDA as recommended by the Committee (ETHI recommendation 12). Industry Canada is seeking views and specific advice on how the concept of lawful authority could be better defined.
The Committee also recommended a number of issues for further consideration and/or consultation, including witness statements (ETHI recommendation 10), consent by minors (ETHI recommendation 15), and an assessment of the extent to which elements contained in the PIPEDA Awareness Raising Tools (PARTS) document may be set out in legislative form (ETHI recommendation 17). Industry Canada welcomes submissions on these matters.
Finally, Industry Canada is considering alternatives to the current process for the designation of investigative bodies (ETHI recommendation 6) and would appreciate any further views on this issue.
Submissions on the above, or on any other issues related to the government response that you may wish to raise, can be sent by email to PIPEDAconsultation@ic.gc.ca, by fax to 613-941-1164, or by mail to Richard Simpson, Director General, Industry Canada, Electronic Commerce Branch, 300 Slater Street, Ottawa, Ontario K1A 0C8.
The Government's response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics is available electronically on the World Wide Web at the following address: http://ic.gc.ca/specialreports.
For printed copies, please contact Publishing and Depository Services, Public Works and Government Services Canada, Ottawa, Ontario K1A 0S5; 1-800-635-7943 (Canada and U.S. toll-free telephone), 613-941-5995 (telephone), 1-800-465-7735 (TTY), 1-800-565-7757 (Canada and U.S. toll-free fax), 613-954-5779 (fax), publications@pwgsc.gc.ca (email), www. publications.gc.ca.
Thursday, October 18, 2007
Government response to the PIPEDA review
The government has issued its response to the five year PIPEDA review report, issued earlier this year by the Parliamentary Committee on Access to Information, Privacy and Ethics. No big surprises.
The government proposes even more "consultations".
Monday, May 21, 2007
Michael Geist: There Will Be No Privacy Reform. Get Over It
Micahel Geist's take on the results of the PIPEDA review: There Will Be No Privacy Reform. Get Over It.
See also his Toronto Star column on the topic.
I think he's probably right.
Thursday, May 03, 2007
Parliamentary review of PIPEDA: Report
The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:
ETHI (39-1) — Fourth Report: STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) — Standing Committee on ACCESS TO INFORMATION, PRIVACY AND ETHICS - Committees of the House of CommonsThe Standing Committee onACCESS TO INFORMATION, PRIVACY AND ETHICS
has the honour to present its
Fourth Report
Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:
The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.
Here are the recommendations:
47Recommendation 1
The Committee recommends that a definition of “business contact information” be added to PIPEDA, and that the definition and relevant restrictive provision found in the Alberta Personal Information Protection Act be considered for this purpose.
Recommendation 2
The Committee recommends that PIPEDA be amended to include a definition of “work product” that is explicitly recognized as not constituting personal information for the purposes of the Act. In formulating this definition, reference should be added to the definition of “work product information” in the British Columbia Personal Information Protection Act, the definition proposed to this Committee by IMS Canada, and the approach taken to professional information in Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector.
Recommendation 3
The Committee recommends that a definition of “destruction” that would provide guidance to organizations on how to properly destroy both paper records and electronic media be added to PIPEDA.
Recommendation 4
The Committee recommends that PIPEDA be amended to clarify the form and adequacy of consent required by it, distinguishing between express, implied and deemed/opt-out consent. Reference should be made in this regard to the Alberta and British Columbia Personal Information Protection Acts.
Recommendation 5
The Committee recommends that the Quebec, Alberta and British Columbia private sector data protection legislation be considered for the purposes of developing and incorporating into PIPEDA an amendment to address the unique context experienced by federally regulated employers and employees.
Recommendation 6
The Committee recommends that PIPEDA be amended to replace the “investigative bodies” designation process with a definition of “investigation” similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose .
Recommendation 7
The Committee recommends that PIPEDA be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction. This amendment should be modeled on the Alberta Personal Information Protection Act in conjunction with enhancements recommended by the Privacy Commissioner of Canada.
Recommendation 8
The Committee recommends that an amendment to PIPEDA be considered to address the issue of principal-agent relationships. Reference to section 12(2) of the British Columbia Personal Information Protection Act should be made with respect to such an amendment.
Recommendation 9
The Committee recommends that PIPEDA be amended to create an exception to the consent requirement for information legally available to a party to a legal proceeding, in a manner similar to the provisions of the Alberta and British Columbia Personal Information Protection Acts.
Recommendation 10
The Committee recommends that the government consult with the Privacy Commissioner of Canada with respect to determining whether there is a need for further amendments to PIPEDA to address the issue of witness statements and the rights of persons whose personal information is contained therein.
Recommendation 11
The Committee recommends that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts.
Recommendation 12
The Committee recommends that consideration be given to clarifying what is meant by “lawful authority” in section 7(3)(c.1) of PIPEDA and that the opening paragraph of section 7(3) be amended to read as follows: “For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is […]”
Recommendation 13
The Committee recommends that the term “government institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA to specify whether it is intended to encompass municipal, provincial, territorial, federal and non-Canadian entities.
Recommendation 14
The Committee recommends the removal of section 7(1)(e) from PIPEDA.
Recommendation 15
The Committee recommends that the government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amendments to PIPEDA in this regard.
Recommendation 16
The Committee recommends that no amendments be made to PIPEDA with respect to transborder flows of personal information.
Recommendation 17
The Committee recommends that the government consult with members of the health care sector, as well as the Privacy Commissioner of Canada, to determine the extent to which elements contained in the PIPEDA Awareness Raising Tools document may be set out in legislative form.
Recommendation 18
The Committee recommends that the Federal Privacy Commissioner not be granted order-making powers at this time.
Recommendation 19
The Committee recommends that no amendment be made to section 20(2) of PIPEDA with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest.
Recommendation 20
The Committee recommends that the Federal Privacy Commissioner be granted the authority under PIPEDA to share personal information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities.
Recommendation 21
The Committee recommends that any extra-jurisdictional information sharing, particularly to the United States, be adequately protected from disclosure to a foreign court or other government authority for purposes other than those for which it was shared.
Recommendation 22
The Committee recommends that PIPEDA be amended to permit the Privacy Commissioner to apply to the Federal Court for an expedited review of a claim of solicitor-client privilege in respect of the denial of access to personal information (section 9(3)(a)) where the Commissioner has sought, and been denied, production of the information in the course of an investigation.
Recommendation 23
The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.
Recommendation 24
The Committee recommends that upon being notified of a breach of an organization’s personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner.
Recommendation 25
The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a “without consent” power to notify credit bureaus in order to help protect consumers from identity theft and fraud.
Friday, February 02, 2007
PIPEDA Hearings - Days 9 and 10
The PIPEDA Review Hearings have resumed after a recess and Michael Geist continues to link to notes taken at the hearings (see: Michael Geist - PIPEDA Hearings - Days 9 (banking industry) and 10 (Chamber of Commerce, Insurance)). The focus has shifted to discussions of breach notification, a topic that now seems to have strong support on the committee.