Originally published in Blakes Bulletin on Privacy Law, August 2006
The Privacy Commissioner of Canada has issued a Discussion Paper identifying a number of areas as warranting consideration in the upcoming five year review of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). While the Commissioner quite properly notes that it is not her role to draft proposed amendments to PIPEDA, the Discussion Paper is an important first step in the review process.
Areas of potential reform identified by the Commissioner which may be of particular interest to businesses are as follows:
The Privacy Commissioner’s powers
PIPEDA was designed to employ an ombudsman regulatory model. The Commissioner has authority to investigate complaints, make findings and issue non-binding recommendations but has no order-making power. The Commissioner raises the question of whether the existing ombudsman model is effective, especially in view of the lack of any enforcement mechanism for the Commissioner’s recommendations.
The Commissioner identifies some circumstances in which PIPEDA’s current consent requirements may be too stringent, e.g., the Commissioner notes that it may be appropriate to permit employers to collect and use employees’ personal information without their consent for "reasonable purposes".
On the other hand, the Commissioner notes there has been support for limiting the types and amount of information that can be collected without an individual’s knowledge or consent. For example, PIPEDA grants organizations broad authority to collect personal information without consent for law enforcement and national security purposes, and there are only limited constraints on the collection or disclosure of information to "investigative bodies". The Commissioner suggests that it may be appropriate in certain situations to limit the amount of information that can be collected, the duration of the collection and the possible sources of the information.
Disclosure before transfer of businesses
The Commissioner notes that PIPEDA lacks an exemption for disclosure of personal information to prospective business purchasers or business partners. Many in the business community would welcome clarification in this regard.
Information prepared or collected as part of an individual’s or group’s employment is not currently accorded any special treatment under PIPEDA. The Commissioner notes that defining and using the term "work product" in the Act may help clarify the distinction between types of data and permit differential treatment of information collected in the course of employment.
Duty to notify
There are currently no provisions under PIPEDA explicitly requiring organizations to notify affected individuals when personal information has been compromised. The Commissioner notes that nearly half of the U.S. states have laws in place that require customers to be notified following security breaches. The Commissioner notes the risk of individuals ignoring too many notices of trivial breaches and raises the possibility of setting some thresholds before notification is required.
Trans-border flow of personal information
As international outsourcing becomes increasingly prevalent, concerns have arisen about the level of protection afforded to personal information transferred outside Canada’s borders. Under PIPEDA’s accountability principle, organizations are required to use contractual or other means to ensure the protection of data transferred to third parties in other jurisdictions. The Commissioner suggests that Parliament evaluate the adequacy of the current accountability principle and explore options to enhance the protection of information outside Canada.
Although the Commissioner’s Discussion Paper is not a formal part of the Canadian government’s review of PIPEDA, the Commissioner has invited interested parties to submit comments by September 7, 2006. Presumably the Commissioner will pass on some or all of these comments to the government as part of the more formal review process, which will likely include the circulation of draft revisions and a hearing before a Parliamentary committee.
Clearly, any proposed amendments to PIPEDA will be controversial, and business and privacy advocates will likely have different perspectives. While interested parties are not compelled to respond to the Commissioner’s Discussion Paper, it is likely that many will do so to ensure that their point of view gets as much exposure as possible leading up to any amendment to PIPEDA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Please join members of the Blakes Commercial Real Estate group as they discuss five key provisions of a commercial real estate purchase agreement that are often the subject of much negotiation but are sometimes misunderstood.
Emotional culture is influenced in great part by the mindset and actions of leadership, although employees also play more of a role than they may realize in creating the culture that exists in the group.
The session will be led by Dr. Robert Brooks, an award-winning author and psychologist. In his presentation, Dr. Brooks will describe the mindset and realistic practices of leaders and staff that help to nurture and sustain a culture characterized by positive emotions, satisfying, respectful relationships, a sense of meaning and ownership for one’s work, and enhanced job performance. Examples will be offered to illustrate strategies for developing a positive emotional culture in an organization.
Join leading lawyers from the Blakes Pensions, Benefits & Executive Compensation group as they discuss recent updates and legal developments in pension and employee benefits law as well as strategies to identify and minimize common risks.
Software license agreements generally require the customer to pay fees for the software license and related services, which fees are usually based upon the duration of the license and the manner in which the customer is allowed to use the software, together with applicable taxes and withholdings.
In less than nine months, on July 1, 2017, persons affected by a contravention of Canada's anti-spam legislation will be able to invoke a private right of action to sue for compensation and potentially substantial statutory damages.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).