The Privacy Commissioner of Canada wants to beef up privacy laws to keep up with the pace of the digital age and its endless thirst for acquiring personal information, the office announced today.
Commissioner Jennifer Stoddart has charted a roadmap to what a modern privacy protection framework might look like with a position paper made available online. In it, she calls for reforms strengthening the Personal Information Protection and Electronic Documents Act (PIPEDA) that governs commercial activities across the country, save for Quebec, Alberta, and British Columbia, which have provincial privacy laws in place. Stoddart calls for the power to impose fines when needed, a requirement of organizations that suffer personal information breaches to notify affected individuals, increase in law enforcement transparency, and a way to hold organizations to account when they violate privacy laws.
The Federal Court could also order statutory damages to be paid for breaking privacy laws, Stoddart writes, without the requirement that an affected party prove a direct loss as a result of the violation. A minimum and a maximum amount for the fines would be set as guidelines for the court. Stoddart points to Canada’s Anti-Spam Legislation (CASL) as an example of legislation that uses fines in this way – legislation that is soon to be implemented and is meant to deter unwanted e-mail correspondence between businesses and consumers.
Mandatory reporting of privacy breaches by organizations are needed because “over the past few years, there have been a number of high-profile data breaches both in Canada and abroad that compromised the personal information of Canadians,” Stoddart writes. This can result in harms such as identity theft, financial loss, damage to credit ratings, or even physical harm. Stoddart is concerned Canadian organizations aren’t doing enough to ensure protection of customer data under their protection.
The Privacy Commissioner’s office has been no stranger to the challenges posed to guarding personal privacy in a connected world. Since the last PIPEDA review in 2006, it has conducted several investigations against major web brands that deal with the personal details of Canadians.
A 2009 investigation into Facebook resulted in the social network making changes such as a more clear distinction between deleting and deactivating an account and further controls into what third-party applications are able to do.
Stoddart also oversaw a 2010 investigation into Google’s collection of Wi-Fi data using Street View cars collected personal information from Canadians with unprotected networks. Stoddart expressed concern with Google’s “careless” approach with personal information and made recommendations for a governance model that would prevent such occurrences in the future.
Last year, the Privacy Commissioner investigated 25 websites visited regularly by Canadians and found six had unsafe privacy practices. It didn’t disclose the websites, but followed up with the offenders to get the privacy leaks plugged.
Stoddart says the complexity of these cases and the follow-up efforts made by her office are taking a lot of resources. She’s looking for the law to hold companies legally accountable to changes requested by her office.
Parliament is required to review PIPEDA and the aspects dealing with data protection every five years. The last review was started in 2006 and a final report on that review was issued by a committee in May 2007.