Media Centre

Moving Forward with Private Sector Data Protection

Remarks for the Certified General Accountants Association of Canada’s Economic News Luncheon

September 27, 2006
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

Introduction

I am pleased to have the opportunity to speak to you in these early days after Parliament has reconvened.  This session, parliamentarians will confront several important privacy issues, among them the fallout from Mr. Justice O’Connor’s report last week about the mistreatment of Maher Arar.  Mr. Arar’s mistreatment flowed, in large part, from the sharing of personal information – some of it inaccurate, some of it false, according to the report – across borders in a national security matter. Another and, on its surface, somewhat more pedestrian, privacy issue involves the five-year review of the Personal Information Protection and Electronic Documents Act, known as PIPEDA.  I say “on its surface” because, although PIPEDA is seen primarily as a vehicle for protecting the personal information of individuals when they deal with organizations engaged in commercial activities, its provisions also feed into the debate about the role of the private sector in matters of national security.

I am confident that all of you benefit from PIPEDA in your private lives. You also encounter PIPEDA in your professional activities, and I have noticed your association’s recognition of the importance of the Act and of privacy in general.  Your 2003-2004 annual report acknowledges that privacy has emerged as one of the key business issues for both Canadian organizations and CGAs.  You have also developed privacy compliance tools such as a model privacy code and privacy protection pledge, as well as a model commitment to privacy, and I look forward to learning more about these.

What is PIPEDA?

As a law student, I quickly learned the adage that “ignorance of the law is no excuse” – particularly when writing law school exams.  However, I will risk assuming that, despite our apparent responsibility to know the law, not every member of this audience is intimately familiar with PIPEDA.  In a nutshell, PIPEDA sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The Act gives individuals the right to obtain access to and request correction of the personal information these organizations may have collected about them.

The Act applies to personal information collected, used or disclosed by the retail sector, publishing companies, the service industry, manufacturers and other provincially regulated organizations.

The federal government may exempt organizations or activities in provinces that have their own privacy laws if they are substantially similar to PIPEDA.  To date, Quebec, BC and Alberta and, in matters relating to health care, Ontario, have enacted substantially similar legislation.  However – why make things too easy – PIPEDA will continue to apply in those provinces to the federally regulated private sector and to personal information in interprovincial and international transactions by all organizations engaged in commercial activities.  The Act also does not apply to the personal information of employees of provincially regulated organizations.  These jurisdictional bumps were not added out of malice or to employ more lawyers in their interpretation.  They simply reflect Canada’s constitutional divisions of power.

As Privacy Commissioner of Canada, I am responsible for the oversight of PIPEDA.  My Office receives and investigates complaints, and has the authority to conduct audits of the information handling practices of organizations as well.  I operate as an ombudsman, with powers to take cases to Federal court and to expose organizations that violate PIPEDA. 

Some argue that any publicity is good publicity, but that doesn’t apply in the field of privacy, I assure you.  Publicity can be a powerful tool for securing compliance with what we call the “fair information practices” at the heart of PIPEDA. Witness the corporations around the world that have suffered the wrath of consumers who learn of corporate practices that violate consumer privacy.   Corporate powerhouses like Wal-Mart, Benetton and Gillette witnessed this wrath when they tried to introduce a tracking technology known as Radio Frequency Identification, or RFID, into their products.

The Five-year Review

The first phase of PIPEDA came into force in 2001.  The Act has been fully in force for less than three years.  Despite the relative youth of the Act, we have had sufficient experience with PIPEDA to identify potential deficiencies, and we are looking for measures that will make it more effective in protecting privacy.

That said, PIPEDA appears to be working reasonably well, although gaps have appeared that were not anticipated when it was drafted several years ago. Some of PIPEDA’s provisions may need to be reconsidered in light of experience, including the experience we have observed with substantially similar provincial privacy legislation.

Besides challenges within the legislation itself, changes in society necessitate rethinking some aspects of PIPEDA. These changes have occurred on many fronts – for example, the expansion in transborder flows of personal information, spyware, illegal data trafficking, increased threats to the security of computer systems and the growing interest of government agencies in getting access to personal information held by the private sector for government programs designed to address national security issues.

Our Preparations for the Review

When Parliament enacted PIPEDA, it included a provision for review of the legislation every five years.  This is that fifth year.   In preparation for that review, my Office has identified a range of issues that should be addressed.  We set out many of those issues in a discussion paper that we posted on our web site in July, and we invited submissions.

The purpose of asking for submissions was not to be bound by the views of those who responded. It would not be possible in any event to be bound by the views, given the sometimes contrasting positions on any given issue.  However, we knew that these submissions would greatly enrich our discussion about the review of PIPEDA and its possible reform.  When I appear before a parliamentary committee to discuss PIPEDA reform, I can be confident that I have a broader understanding of the concerns of those affected by PIPEDA.

Sometimes you get more than you ask for.  As of the deadline for submissions on September 7, we had received almost 60 submissions from industry and advocacy groups, professional associations, companies and individuals in response to our discussion paper on PIPEDA reform.  As you can imagine, there is considerable variation in the views expressed, and we are busy trying to assimilate the variety of views and the reasoning behind them.

What are the Issues?

I won’t go into great detail about the issues we have addressed in our discussion paper, but I do want to highlight a few points.  For those who want to look more deeply into these issues, you can find the discussion paper on our web site.  Even though we are now well past the deadline for comments, please do not hesitate to send us your views. My Office is always interested in feedback.

Disclosure on transfer of businesses

PIPEDA contains no provision to allow an organization to disclose personal information – about customers, for example – to prospective purchasers or business partners without the consent of the individual affected. They may need to review this information (such as client lists) for their “due diligence” evaluation of whether to proceed with the transaction – perhaps a merger, acquisition or sale of business. Such transactions may range from the relatively modest – the sale of a dental practice, including its patient lists – to very large corporate takeovers.

Other laws, such as Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) and the Alberta and British Columbia Personal Information Protection Act (PIPA) allow disclosures without the individual’s consent, subject to stringent confidentiality agreements.

If a sale or merger occurs, some individuals may not want their personal information transferred as part of that sale or merger.  In such cases, should individuals have the opportunity to opt out of the transfer of their personal information?    

Duty to notify

Another issue for the PIPEDA review, very topical in light of growing concern about identity theft is what we term the “duty to notify.”  Some argue that organizations that suffer security breaches or the outright theft of their personal information holdings should be required to mitigate the risk of identity theft to the individuals involved. Mitigation after a security breach could involve notifying the individuals whose information is at stake, credit agencies, relevant government agencies (for example, those that administer welfare benefits) and other commercial entities, such as banks.

By the end of 2005, roughly half of U.S. states had passed laws requiring customers to be notified when their personal information is compromised. As well, several bills have been introduced, but none yet passed, at the federal level in that country. These laws typically provide for large fines for failure to notify. For example, legislation in New York State provides for penalties of up to $150,000 for knowingly or recklessly violating the reporting requirements. Some argue that PIPEDA should include a similar duty to notify the individuals affected after a security breach.

Of Canadian data protection laws, Ontario’s Personal Health Information Protection Act is the only one requiring notification after a security breach. The Act requires health information custodians to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or accessed by unauthorized persons.

Outsourcing and loss of control over personal information

The current business climate often favours the outsourcing of data processing. Some outsourcing results in the transfer of personal information to organizations in Canada that are themselves subject to PIPEDA or substantially similar provincial data protection legislation. Outsourcing may also involve transferring personal information outside Canada, a process described as the transborder flow of personal information.

PIPEDA currently imposes responsibility on an organization for information that has been transferred to a third party for processing.  The organization must use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. This principle applies to any transfer, whether the receiving company is in Canada or abroad.

Still, the growing concern about loss of control over personal information of Canadians when it crosses borders has led to discussion about several possible options to enhance respect for this accountability principle. Among the other means to protect personal information are provisions that might be placed in contracts between an organization in Canada subject to PIPEDA and the receiving company.  These could include provisions allowing the organization in Canada to inspect and audit the information management practices of the company processing the data abroad, including security practices and disposal procedures, and how the receiving company will enforce these practices and procedures.  The contract could also require the company abroad to provide individuals with access to the personal information it holds about them.

PIPEDA in Context

I want to touch on a more general dimension of privacy, or what I term “PIPEDA in context.”  Occasionally, I encounter arguments from those regulated by PIPEDA that their activities, while intruding somewhat on privacy, do not represent significant intrusions in and of themselves.  To them, the reaction of my Office and my protestations about their activities may seem excessive.  However, providing effective privacy oversight for Canadians means more than looking at the individual actions of individual players.  Of necessity, protecting privacy involves looking at the collective impact of these actions. 

Let me draw a parallel with another public concern – the environment.  Few people would think it an environmental disaster if someone poured a litre of motor oil into Lake Ontario.  And they would be right.  But if everyone did that, the result would be an environmental catastrophe.  The same dynamic is at play with privacy.  One intrusion – for example, the collection by one company of personal information without the knowledge or consent of an individual – may not seem a privacy disaster.  But if everyone does this, it becomes a serious problem – a serious problem, that is, if we genuinely value the right of privacy and its pivotal place in a democracy.  If we’re serious about privacy, we have to be serious about how our individual actions affect the broader privacy climate. 

There is another dynamic at play – one that takes us beyond the analogy of the oil spill. We are seeing an unprecedented thirst by governments, even in countries that we have until now viewed as robust democracies, for personal information about foreigners, about immigrants and even about citizens. 

Since PIPEDA was enacted, a series of Acts have gradually whittled away at its protections, dangerously blurring the distinction between the public and private sectors and, in effect, deputizing the business community to act as the agent of the government. First the Proceeds of Crime (Money Laundering ) and Terrorist Financing Act was amended to require financial institutions and other organizations to disclose personal information to the Financial Transactions Reports Analysis Centre of Canada.  Then, amendments to the Aeronautics Act allowed Canadian air carriers to disclose passenger information to the customs and immigration authorities of foreign states. The Public Safety Act allows the Minister of Transport, the RCMP and CSIS to require air carriers and operators of aviation reservation systems to provide them with information about the passengers and crew of airlines and other modes of commercial transport. As well, it amended PIPEDA to allow organizations to collect personal information, without consent, for the purposes of disclosing this information to government, law enforcement and national security agencies. This incremental weakening of PIPEDA is very disturbing to a Privacy Commissioner. 

I am not downplaying the potential impact of terrorism. But we must be careful that we don’t allow governments to capitalize on fear in order to diminish privacy in ways that are not justified.  This is too important a right to be sacrificed on the altar of expediency.  Mr. Justice O’Connor’s recent report about the mistreatment of Maher Arar shows how, in this climate of fear, the improper handling and use of personal information, and the provision of inaccurate information, can have devastating consequences for individuals.  

Sometimes we need to bring a perspective like that of Justice O’Connor to the debate about privacy, particularly the debate about privacy, national security and terrorism.   As you deal with your clients, as you go about the activities of your profession, I encourage you to remember how the individual parts contribute to the whole.  And I encourage you as individuals to keep a balanced perspective about privacy and the forces in our world that threaten to diminish it.