On May 2, 2007, the House of Commons Standing Committee on Access to Information, Privacy and Ethics ("the Committee") made recommendations in its 4th Report to Parliament, following a statutory 5-year review of Canada's federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). Under section 29 of PIPEDA, and pursuant to an order of the House of Commons, Part I of the Act, Protection of Personal Information in the Private Sector is subject to review every five years. Following a review, the Committee must submit a report to Parliament that includes a statement of any recommended changes to Part I or its administration.
The Committee held hearings between November 20, 2006 and February 22, 2007. Released yesterday, the Committee's report on the Statutory Review of the Personal Information Protection and Electronic Documents Act provides a well-balanced and comprehensive set of recommendations with respect to PIPEDA. The Committee did not propose any dramatic changes to PIPEDA at this time. This briefing will provide an overview of some of the key issues dealt with by the Committee.
Canada's approach to privacy
Since 2001, Canada has had umbrella privacy legislation in place. PIPEDA sets out requirements for how private sector organizations collect, use and disclose personal information in the course of commercial activities. With increased use of network technologies, more sophisticated market research tools, concerns regarding identity theft and greater emphasis on security, the role of privacy law in our society has taken on increased significance. Important discussions of Canada's privacy law occurred during Parliament's recent review of PIPEDA.
Key issues - Order making powers, naming names, breach notification
During its review, the Committee considered some of the key issues surrounding the future of privacy regulation in Canada. These include whether the Privacy Commissioner should be given Order making powers, whether the Privacy Commissioner should be required to identify each organization subject to a privacy complaint, and whether mandatory breach notification should be required in case of an unauthorized disclosure or access to personal information.
The Committee ultimately recommended that no changes be made to give the Privacy Commissioner order making powers, and that the Privacy Commissioner should continue to exercise discretion whether to name organizations in the public interest. However, the Committee did recommend that PIPEDA be amended to require organizations to report certain defined privacy breaches to the Privacy Commissioner and that upon receiving such a report, the Privacy Commissioner should be required to make a determination whether affected individuals should be notified and the manner of such notification.
Issues of particular interest to businesses – business transactions, work product, business contact information and transborder data flows
The Committee considered additional issues pertaining to various deficiencies that either privacy advocates or organizations had identified in their experience with PIPEDA since 2001. Among these were issues of concern to the business community including personal information in the context of business transactions, collection of work product data, and the technologically limited exemptions for business contact information from the definition of personal information. There were also submissions for and against restrictions on the transborder flow of personal information.
The Committee recommended that PIPEDA be amended to permit businesses to collect, use and disclose information without obtaining prior consent for the purposes of business transactions such as mergers or acquisitions. The Committee also recommended that a definition of "work product" be included which would not constitute "personal information" as defined in the statute. The work product exemption would allow organizations to collect certain information related to employment or business activities without obtaining employee consent. A technologically flexible definition of "business contact information" which includes fax and e-mail in addition to the currently exempted business address and telephone number, was also recommended. This would have the effect of excluding a wider range of business contact information from "personal information", consistent with contemporary methods of business communications. The Committee declined to recommend any changes that would create new restrictions on the transborder flow of personal information. Organizations would therefore be allowed to continue to employ predominantly contractual means to protect personal information transferred to service providers or affiliated organizations outside of Canada.
Issues of general interest – obtaining consent and consent of minors
As consent is one of the most important principles of PIPEDA, it is not surprising that submissions were advanced to the Committee, which proposed the strengthening of the statute's consent requirements. In addition, submissions were made with respect to the protection of the personal information of minors, particularly through adequacy of consent.
The Committee agreed that the consent requirements should be clarified, and that a distinction should be made between the three main categories of consent: negative, affirmative and implied consent. The Committee also recommended that the issue of under-age consent be further studied with a view to amending PIPEDA.
Of particular interest to the financial services sector, the Committee recommended that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts. This proposed modification could give some organizations flexibility in contacting family members in cases of a disaster or where abuse may be suspected.
Privacy law compliance will continue to be the subject of increased scrutiny not just in Canada but also in other jurisdictions. The United States has recently been grappling with suggestions that it harmonize some of its privacy requirements by creating an umbrella federal law. In the U.S. over 24 U.S. jurisdictions currently have various data breach notifications requirements in place. Europe has a complex web of privacy requirements in more than 33 jurisdictions. More and more privacy requirements are shaping business processes, marketing plans and even the structure of how due diligence in a business transaction takes place.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.