We now have almost two-and-a-half years’ experience with Canada’s federal private-sector data protection legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), in its fully implemented incarnation, and nearly five-and-a-half years’ experience since the first phase of PIPEDA came into effect.
While I am in general pleased with many aspects of PIPEDA, effective private-sector data protection still has a long road ahead of it. Governments are thirsty for more — and more detailed — personal information about Canadians, and they are increasingly willing to draw on private-sector databases for that information.
In the private sector, there is what some variously call the economic imperative, or globalization, or commercial pressures. Without strong privacy rules, these will drive us towards ever diminishing privacy protection.
In this environment, does PIPEDA and its provincial equivalents stand a chance? The answer is a qualified yes. Our five years of test-driving have revealed some deficiencies, some substantial, that warrant attention during the parliamentary review of PIPEDA scheduled for this year.
Personal information about employees has been the source of some of the most challenging complaints my office has encountered over the last five years. Many complaints revolved around consent issues — specifically, whether consent required as a condition of employment can truly be deemed voluntary.
We have also received complaints about the use of surveillance in the workplace that raise difficult issues around consent. In some cases we have been forced to stretch the act to accommodate employment issues.
One possible solution to the deficiencies of PIPEDA on employment issues would be to include distinct provisions in the act to deal with employee information, as is the case with the Personal Information Protection Act (PIPA) of both Alberta and British Columbia.
Alberta’s PIPA, for example, allows personal employee information to be collected without consent under certain conditions, including where the “collection is reasonable for the purposes for which the information is being collected.”
Duty to report
Many of you are aware of the privacy disasters in businesses in Canada and the United States — misdirected faxes, the loss or theft of computer hard drives and, in the ChoicePoint case, the sale of personal data to a crime ring engaged in identity theft.
The ChoicePoint security breach achieved notoriety in part because of a 2003 California law that requires businesses to notify consumers if their personal information is compromised. The California law requires disclosure of any breach of the security of a computerized system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
We now need to ask whether Canadian law should contain similar notice requirements. Notification laws might make the notified individuals more alert to the possible misuse of their personal information. The laws might also force businesses and other organizations to take security more seriously, lest they become the next ChoicePoint to be pilloried in public.
A duty to notify does not easily fit into the current PIPEDA model, since there is no straightforward way to penalize organizations that fail to notify individuals about security breaches. In addition to adding a duty to notify, or as an alternative, a provision could be added to PIPEDA that would allow an organization that has suffered a security breach to notify credit bureaus about the breach and the individuals affected. This would allow credit bureaus to be more proactive in protecting consumers from identity theft and fraud.
Meeting the challenge of outsourcing involving trans-border data flows
We must all work more effectively at the international level to find solutions to the privacy issues flowing from outsourcing that involves trans-border data flows, just as law enforcement has attempted to address crime and money laundering internationally. Canadian data protection agencies do not have the resources — or the legal authority — to chase perpetrators on foreign soil, so we need to work towards harmonized international standards and approaches.
In one case, Abika, we concluded that we could not proceed with the complaint as there were insufficient real and substantial connecting factors between the U.S. organization and Canada. The Office of the Privacy Commissioner therefore lacked jurisdiction to compel the organization to respond and therefore we could not issue findings.
I don’t know if we will ever achieve totally satisfactory privacy protection. Protecting privacy in our rapidly evolving world is necessarily a work in progress. There will be new technologies, new commercial pressures, shifting attitudes and changed relationships between the private sector and governments that alter the privacy landscape. This demands flexibility from all the players in the process. We all need to continue to be open to discussion, to honest debate, and to change.
Jennifer Stoddart is the privacy commissioner of Canada. The above text is excerpted from a speech she gave at the Personal Information Protection Act Conference 2006 in Calgary.