Mr. Chairman, honourable members, thanks very much for the opportunity to speak with you today.
In my brief remarks to you this afternoon, the CBA section wishes to highlight four key areas or themes among several we've addressed in detail in our submission to Industry Canada, which we've just referenced.
These themes reflect particular areas of PIPEDA that six years of experience have demonstrated to be deficiencies in the law or that represent emerging policy issues that were not adequately recognized when the law was first enacted. After nearly six years of interpretation by the courts and by the Office of the Privacy Commissioner, we believe it's prudent and necessary to consider amending PIPEDA.
Privacy legislation has been enacted in British Columbia, Alberta, and Ontario since PIPEDA came into force. These provincial developments respond to our experience with PIPEDA and in some instances have addressed deficiencies in both drafting and interpretation.
The CBA section’s recommendations for amendments to PIPEDA are shaped by the following principles. First, while respecting the balancing of interests in the collection, use, and disclosure of personal information, vigilance is necessary in monitoring and opposing unnecessary erosions of privacy by both government and non-governmental organizations. Second, the basis for protecting privacy in Canada should be fair information practices as they continue to evolve. Third, privacy legislation and practices across Canada should be harmonized to the extent possible.
I'll touch on the first theme, and that is that PIPEDA should be neutral in regard to the litigation process. In other words, it should not affect pre-existing and commonly held litigation processes that have evolved for decades and hundreds of years. PIPEDA contains a number of specific exemptions to the consent requirement that require amendment. The current exceptions relating to litigation are too narrow and should, at a minimum, be broadened to ensure that well-established litigation procedures are not impeded.
This narrowness is evident in the investigation exceptions, the one-way disclosure, the collection and use of debt disclosure information, and the limitation on disclosure throughout the litigation process. The result is inadequate coverage of all aspects of the process: pleadings, oral discovery, mediation, private arbitration, settlements, solicitor communications, and other non-court ordered exchanges of information.
There should be a broad exclusion for information legally available to a party to a proceeding that would override specific exceptions currently found in PIPEDA. Related to this concern, PIPEDA should be amended in its application to law enforcement. Specifically, the provisions for the collection, use, and disclosure of personal information without consent for legitimate law enforcement purposes should be clarified. The current provisions relating to investigations and the enforcement of laws are confusing and internally inconsistent. A single standard should be applied for collection, use, and disclosure relating to law enforcement.
Finally, the provisions respecting investigative bodies should be streamlined. For example, organizations should be permitted to carry out their own investigative activities without unnecessarily being required to use other investigative bodies to collect information from third parties. The CBA recommends an amendment to create a broad exclusion for information available by law to a party in a proceeding to permit collection, use, and disclosure without consent where reasonably required for an investigation.
The second theme I'll touch on is as follows: PIPEDA enforcement should be more effective while continuing to reflect principles of fundamental justice. The lack of order-making powers in PIPEDA significantly affects the likelihood of complainants bringing forward issues of non-compliance. Complainants must apply to the Federal Court to obtain a remedy or compensation, but they may only do so after the commissioner has issued a finding. At present, it takes up to a year to receive a finding. Also, taking a matter to the Federal Court effectively requires hiring legal counsel and places the complainant at risk of an adverse cost award.
Further, there is no mechanism for the commissioner to compensate an individual who has incurred significant expense or suffered loss in connection with a complaint. However, under the current structure, conferring order-making powers on the commissioner could result in a violation of principles of fundamental justice. Currently, the commissioner acts as an ombudsman who advocates protecting personal information. The commissioner's office also investigates alleged violations of PIPEDA. Combining advocacy, investigative, and decision-making roles may place the commissioner in a conflict of interest and undermine the credibility of the office.
More effective enforcement could be achieved by assigning a separate office or body, functioning in a reasonably informal manner with decision-making authority. We've previously suggested an impartial tribunal with order-making powers and the ability to award damages, while the commissioner would retain the investigative powers and an advocacy role. The commissioner could be required to issue a finding within six months, which would then be referred to the tribunal. Therefore, the CBA section recommends an effective enforcement mechanism for PIPEDA be considered, such as an establishment of an impartial tribunal that would operate relatively informally, with power to make orders and award damages.
The next theme is that any requirement for notification of breaches of privacy should be balanced in approach. To date, federal and provincial privacy legislation has required public and private organizations to apply security safeguards when handling personal information. Several U.S. states have recently enacted additional legislation to require organizations to notify individuals in the event of a security breach involving improper disclosure of their personal information.
The EU has recently announced that it may consider information security incident notification. In contrast, Canadian privacy legislation does not explicitly contain such a requirement, with the exception of Ontario's Personal Health Information Protection Act. Therefore, the CBA section recommends that a balanced privacy breach notification requirement be considered, such as a duty to notify only where an organization is not covered by security mechanisms such as encryption, or has received notice that such protection mechanisms have been breached, and the information that has been compromised is sensitive personal information.
The final theme I'll touch on is that transborder information intended under Canadian privacy laws to flow unimpeded should be subject to appropriate precautionary requirements.
The commissioner has stated that the review of PIPEDA would be an opportunity for developing further privacy protection measures related to transborder information sharing by the private sector. One such measure is found in the commissioner's submission to the British Columbia Privacy Commissioner concerning the impact of the U.S. Patriot Act on personal health information of B.C. residents. The federal Privacy Commissioner recommended that Canadian companies that outsource information processing to organizations based abroad should notify their customers that the information may be available to the foreign government or its agencies under a lawful order made in that country.
Section 17 of Quebec's Act Respecting the Protection of Personal Information in the Private Sector specifically addresses the issue of transborder transfer of information. It obliges people communicating information about Quebec residents to persons outside the province to take all reasonable care to ensure that such information is not disclosed to third parties without consent, except as provided in the legislation.
PIPEDA currently contains general rules requiring parties holding information or outsourcing information to ensure its protection, but doesn't necessarily contain any rule specifically directed at protection of information transferred outside of Canada. Under PIPEDA, each organization, as you know, remains responsible for personal information in its custody or control, including information transferred across a border.
PIPEDA should contain appropriate precautionary requirements to protect information when it is transferred across borders. We have previously considered a number of alternatives to achieve this objective, such as a requirement that organizations transferring information to foreign entities enter into written agreements that would ensure security and protection of information against unauthorized access or disclosure in accordance with Canadian privacy law. Another alternative is a more generalized approach of protecting information transferred outside of the jurisdiction found in Quebec's privacy law.
In its earlier submission, the CBA section also analyzed options for notification or consent requirement for information transferred across a border. Each of these options would involve some form of notice to be provided to or consent obtained from the individuals whose information would be transferred outside of Canada. Amending PIPEDA to implement either a notice or a consent requirement to cross-border transfer of information requires a very careful consideration of the potential advantages and disadvantages of the approach.
The CBA section recommends that where personal information is to be stored or processed in a jurisdiction outside of Canada, PIPEDA require additional provisions to enhance security of personal information and ensure conformity to Canadian law, such as contracts between organizations and entities storing or processing personal information.
The CBA section appreciates the opportunity to share its views with the committee today. We believe our suggestions will provide some assistance in amending PIPEDA to address deficiencies that have become apparent since its enactment. Our goal is to improve the legislation for the benefit of Canadians, consistent with PIPEDA's purpose of establishing rules that recognize both individual privacy rights and the organizations' needs to collect and use information in an appropriate and reasonable manner.
Thank you very much.