TORONTO – Federal Privacy Commissioner Jennifer Stoddart is calling for change to Canada’s outdated privacy laws and stronger enforcement powers to protect the rights of Canadians in the ever-changing digital world.
Stoddart released a position paper Thursday suggesting the Personal Information Protection and Electronic Documents Act (PIPEDA) is not able to adequately deal with privacy issues in today’s digital age.
“Personal information has been called the oil of the digital economy. As organizations find new ways to profit from personal information, the risks to privacy are growing exponentially,” said Stoddart in a press release.
“It is increasingly clear that the law is not up to the task of meeting the challenges of today – and certainly not those of tomorrow.”
Among the recommendations in her paper are calls for a range of financial penalties that could be imposed by Federal Court, the ability to order organizations to halt privacy-infringing activities, and a requirement that companies report breaches of personal information.
Read More: Privacy Commissioner Jennifer Stoddart calls for tougher privacy laws
Information covered under PIPEDA includes a person’s name, email address, health records, financial records, and Social Insurance Number.
Michael Geist, law professor and Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, believes that the commissioner hit on some pressing issues in her position paper, including the need for increased transparency on warrantless disclosure.
Geist said that greater transparency is desperately needed.
“But to date, if we look at the major Canadian players, particularly in the telecommunications area – like Bell, Rogers, and Telus – they don’t disclose this information and I think keeping their customers in the dark is wrong, and change in that regard is needed.”
Under the current law an organization is not required to report the disclosure of personal information to law enforcement agencies; they are also not subject to mandatory reporting requirements when privacy breaches occur.
Geist also notes that introducing mandatory security breach requirements is greatly needed in Canada. Countries including the European Union and the U.S. already have mandatory security breach requirements in place.
“It’s a little bit surprising and frustrating that we don’t have that in Canada,” said Geist.
Dr. Avner Levin, Director at the Privacy and Cyber Crime Institute at Ryerson University, noted that the proposed changes are long overdue and, if implemented, would greatly change PIPEDA for the better.
But, Levin suggests that law is not just outdated, but is quickly becoming obsolete.
“The truth in my opinion is that legislation such as PIPEDA is becoming fast obsolete,” said Levin.
“’PIPEDA with teeth’ along the lines of the commissioner’s recommendations, would be a great first step, but what we will need – and what PIPEDA does not provide – is legislation that absolutely prohibits the use of personal information for certain purposes and legislation that explicitly regulates information shared on social media.”
Levin said that current privacy laws do not prevent businesses from collecting and using personal information; that there are only some restrictions imposed.
This includes information that third parties collect via social networking sites, such as Facebook.
Read More: Teens unconcerned about third-parties accessing info
“Think about our human rights codes and how they prohibit discrimination on the basis of race, gender etc. Now think of these categories as personal information – we need laws that would extend the ‘prohibited grounds’ concept and apply it not only to categories of personal information but also to methods of collection,” said Levin.
He uses the example of a law that would sanction any individual that posed as someone online in order to “friend” a person on a social network in order to get access to their information to collect it.
The law requires the government to review PIPEDA every five years – that review is years behind schedule.
The last attempt to change the private sector privacy law, Bill C-12, was stalled in the House of Commons. The bill would require companies to report major breaches of customer information to the commissioner and make it easier for Internet service providers, along with social media sites, to share customer information with authorities.
As Geist notes in his latest blog posting, the bill has been sitting at second reading for months.
“I think it’s high time that the government start taking these issues more seriously,” said Geist.
– With files from the Canadian Press
Comments