Privacy & Information Security Law Blog

On May 23, 2013, the Office of the Privacy Commissioner of Canada (“OPC”) issued a position paper (the “Paper”) proposing revisions to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) to better align PIPEDA with the risks facing a modern information economy. Privacy Commissioner of Canada Jennifer Stoddart addressed the release of the Paper in her remarks at the IAPP Canada Privacy Symposium, stating that “[i]t is increasingly clear that the law is not up to the task of meeting the challenges of today – and certainly not those of tomorrow.” According to the Paper, the surge in the collection, availability and use of personal data has upset the balance between the privacy rights of individuals and the legitimate needs of businesses originally struck by PIPEDA. In response, the Paper proposes four general revisions to PIPEDA:

• Grant the OPC greater enforcement powers. If adopted into law, one of the most important recommendations is the enhancement of the OPC’s enforcement powers. The Report provides examples of enforcement mechanisms including statutory damages, administrative monetary penalties and authorizing the OPC the power to issue binding orders to organizations.
• Require organizations to report breaches of personal information to the OPC and, if warranted, to affected individuals. According to the OPC, the current voluntary reporting scheme for data breaches acts as a disincentive for organizations to report breaches because those that do report are subjected to remediation expenses and reputational damage, while those that do not report such incidents may escape with no negative impact to their bottom line.
• Require organizations to publicly report the number of disclosures they make to law enforcement of individuals’ personal information without the individuals’ knowledge or consent. According to the Paper, the provision in PIPEDA providing companies the discretion to submit individuals’ personal information to law enforcement and government institutions without their consent or knowledge creates a troubling regime because there is little insight regarding the content and the magnitude of the personal information disclosed. The Paper suggests that requiring organizations to publish the number of these disclosures to government institutions will increase transparency.
• Require organizations to demonstrate, at the OPC’s request, that they have implemented a privacy program and incorporated the concept of “enforceable agreements.” According to the Paper, this would allow an organization and the OPC to enter into an agreement following an investigation where the organization agrees to comply with the OPC’s recommendations. The OPC noted that sanctioning organizations for violating the proposed requirement that companies stand ready to demonstrate their compliance with privacy law will provide an additional incentive for organizations to comply with their privacy obligations.

The Paper contains only recommendations. Amending PIPEDA requires an act of Parliament. Parliament has yet to act on recommendations made as part of a 2006 review of PIPEDA.