The Privacy Commissioner of Canada released her office’s Discussion Paper last week, announcing it at the IAPP Canadian Privacy Symposium. The timing could not have been better for me personally, as I was due to deliver a talk the next day at the IAPP entitled “Canada’s Response to the EU Privacy Regulation.” The Discussion Paper was of course (and properly) focused on the needs of Canadians, but offered this about the EU:
“It is an open question as to what effect the proposed Regulation, if passed in its present form, might have on Canada’s adequacy status, given the current state of PIPEDA.”
This of course led nicely into my presentation. Nymity has kindly done an interview of me on this and I will link to that when it is available; what I want to talk about is the substance of the proposed changes to PIPEDA.
There are four main areas identified in the Discussion Paper for update:
- Mandatory breach notification;
- Increased and effective enforcement powers in the Office of the Privacy Commissioner of Canada;
- Tightening controls on lawful access; and,
- Increasing organizational accountability for privacy
Needless to say, I agree with all these changes. How we do so is important:
- Coordination with the Provinces: We do not want or need the kind of patchwork that the US has to endure. It is not helpful to organizations to have different standards for breach, time limits and procedures varying from province to province or with the Federal government. In fact, the need for coordination goes beyond breach: we need to ensure we continue to have our laws founded on the same principles, and using the same ideas and tools. The collaborative nature of our commissioners has facilitated this (more on this below), but perhaps we need a ‘model law’ with an appropriate allocation of responsibilities between federal and provincial commissioners, and harmonization of breach requirements, accountability and risk management concepts. I pointed out in my talk how much of our reputation internationally is due to the good luck we have had with privacy commissioners, both federal and provincial. Another aspect of that good luck is the degree to which they work together. PIPEDA (and each of the provincial laws) should encompass shared investigations and responsibilities; we cannot leave to luck the willingness to collaborate between levels, as this is essential for a federal system of shared responsibility for an effective privacy framework. In fact, I think this would be the ideal way to address the challenge of the EU Draft Regulation is for a joint federal-provincial review and update of our legislation – obviously not something the Federal Commissioner can propose in the Discussion Paper on updating PIPEDA, but something we in the privacy community should discuss.
- Breach Thresholds: While the Discussion Paper does not go into detail on this, I believe the prevailing view of privacy professionals is that Bill C-12‘s provisions do not go far enough, when it was introduced (in 2011) and certainly not now. I think it is helpful to look at recent developments south of the border: HIPAA in the US was recently updated with the Omnibus Rule to establish a lower threshold for notification of HIPAA breaches–in large part due to the recognition that ‘substantial risk of harm’ was leading to a conclusion by many organizations that notification was not required, perhaps in more circumstances than warranted.
The Alberta model of ‘real risk of significant harm’ and C-12’s “material breach” of security, are subject to the same criticisms. The Omnibus’ new test relies on the assumption that a disclosure is a breach unless a four-point risk assessment determines that there is a low probability that protected health information has been compromised. While I like the Alberta model otherwise, I believe it would make sense to utilize the HIPAA Omnibus threshold, as well as the risk assessment piece; Alberta already has this concept embedded in its Mandatory Breach Reporting Tool.
- Notification: I also do like the notion that not all ‘breaches’ are reported to individuals. While it may make sense to require mandatory reporting to a commissioner’s office to ensure that there is oversight, there are many ‘events’ which simply do not amount to a situation requiring that individuals be notified and be made concerned.The typical event is where personal information is sent by e-mail to an incorrect party with which the sender has a relationship; the usual course is to have the e-mail deleted, both from the recipient’s mailbox and the company systems, and to obtain a confirmation that the data has not been disclosed or retained. This is not a situation requiring notifications; the recipient is often in a position of responsibility in the recipient company, and has notified the sender of the mis-sent e-mail, so it would be difficult to see how there could be a risk of mis-use.I highlight this scenario because it is very common and yet, can easily under some state laws, requires notification to individuals. With oversight, I believe it is possible to resolve most of these issues without unduly alarming people. I don’t buy into breach exhaustion; I do believe in lack of understanding as a major reason why only 15-20% of credit monitoring offers are usually taken up by the individuals receiving them after a breach notification – even though it’s free. This is why to some extent, we in the privacy community must act as risk managers for the public.
- Increased Enforcement Powers: I agree that these should be enhanced; the main concern that most in the privacy community have is over whether this would ‘chill’ the otherwise informal, open, ombudsman-like role the Commissioner’s office plays in resolving privacy issues between organizations and individuals. I once observed at an IAPP event in the US, where FTC Commissioners were having a town hall, a lawyer refused to identify himself when asked by an FTC Commissioner during a question – I think we never want to reach that level of mistrust.I think that this could be addressed by ‘codifying’ some of the alternative-dispute resolution mechanisms that the Office can employ – conciliation, mediation and arbitration – at the same time that enforcement powers are enhanced. This role could be further protected by ensuring that the ‘conciliation’ and ‘enforcement’ arms of the OPC have an ‘ethical’ wall to ensure that organizations feels comfortable in sharing information with the OPC.
- Accountability for Cross-Border Data Transfers: The Commissioner remarked during her speech at the general session at the IAPP Privacy Symposium that it was difficult to assert that we had effective control over flows of data out of Canada to the EU, given the limits of her enforcement powers. It is ultimately not only a matter of having fine-making powers; cross border issues will also have to be addressed under the accountability provisions, that organizations taking personal information out of Canada, can ensure that there are adequate controls to carry Canadian privacy principles along with the data.”Adequacy” is met by use of the Model Clauses in the EU; but frankly, the use of agreements has become a very bureaucratic system requiring registrations, fees and much headache due primarily to logistical challenges of multi-nationals having to meet the formalities of the agreements. We can do better; we can require through governance or through contract, accountability for the management of data in accordance with the commitments to Canadians, and that this accountability ‘travel’ with the data. We leave it to the organization to determine how best to do so, knowing that they may be called upon to defend it.
- Lawful Access: I won’t pretend to the knowledge that others, particularly Michael Geist has on this topic, but the Discussion Paper’s emphasis on disclosures of access requests was interesting to me for what is missing: accounting not from the recipients of such requests, but from the makers. Professor Geist has quite a detailed set of ideas he put forward to deal with the last version of ‘lawful access’ under Bill C-30, but the most important one is that suggested by Ontario Privacy Commissioner Dr. Cavoukian, which is an independent body to review lawful access requests. I don’t know that a new body is needed – perhaps the accounting can go simply to the Federal Commissioner’s office – but oversight again will help to facilitate legitimate law enforcement needs while retaining accountability.
I am sure that there will be many thoughts expressed from many quarters; I think the Discussion Paper is an invitation to do just that, discuss, but more importantly, I think we need to create some urgency for change with the legislators, to move forward at last on updating the Canadian privacy framework.