Canadian privacy law recommendations from house of commons

Courtesy of Slaw, I’m now reading through the list of recommendations from the review committee. Slaw lists the recommendations in a recent blog post.

Recommendation 23

The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.

The notification of breach recommendation is interesting. Remember the Winners credit card breach, followed by the Club Monaco one? Even after those fiascos there is still resistance to requiring businesses to report information leaks. The report mentions that companies tend to look to the privacy commission to guidance anyway, and the Openness Principle of the CSA Model Code already makes companies responsible for disclosure. I’d just feel more comfortable if there was a punishment for companies that fail to notify.

… While supporting the notion of a duty to notify, the Commissioner pointed to the difficulty of choosing an appropriate model and she noted that a duty to notify did not easily fit into the current PIPEDA model since there is no straightforward way to penalize organizations that fail to notify individuals about security breaches. …

I’m glad that the report recommends a breach notification clause and I hope that the amendment will have some teeth.

My next concern is what happens to my data when it’s moved outside of Canada. I have a Canada.com email account and I remember when they changed the privacy policy to say PIPEDA no longer applies. It’s a good thing that’s not the case. I tried to form an opinion on whether or not it’s a good thing that there’s no change recommended and drew a blank. I just don’t know what protections PIPEDA gives me. I need to read more but at least I’m not in any worse shape.

The full report is available. Michael Geist has a less than positive take on it.

  • Share/Bookmark

Leave a Reply