In addition to making breach reporting mandatory, the proposed Regulation would empower each DPA to impose administrative sanctions, ranging from warnings to fines Footnote One of the reasons PIPEDA was enacted was to create a vehicle for Canada to provide a level of protection for personal information that would facilitate the flow of personal information from EU member states to Canada.
The current EU Data Protection Directive, adopted in , which the proposed Regulation would replace introduced a requirement that member states allow transfers of personal information to a third country such as Canada only if the third country ensures an adequate level of protection for that information.
The adequacy concept is retained under the Regulation. Against the backdrop of these changes, the enforcement model provided for under PIPEDA appears increasingly out of date. When it was introduced in , it was considered a leader among data protection legislation because of its technology-neutral, principled-based approach.
However, the past decade has witnessed the rise of new laws elsewhere that are providing data protection authorities with stronger powers commensurate with the increasing risks to personal information. While at the moment, the Commissioner has the power to name a company in the public interest, which may encourage some companies to adopt her recommendations to avoid negative publicity of offside privacy practices, naming is ultimately only one means of encouraging compliance.
Recommendation 1: Strengthen enforcement and encourage greater compliance. These could include statutory damages administered by the Federal Court ; or giving the Commissioner the power to make orders; or affording the Commissioner with the power to impose administrative monetary penalties; or a combination of the above.
There are a number of options that, alone or in combination, could strengthen the current enforcement model and encourage greater compliance with the Act. Another option would be to give the Commissioner power to order organizations to do or cease doing something in order to bring themselves into compliance with PIPEDA.
A third option would be to afford the Commissioner the power to impose administrative monetary penalties in cases that warrant it. Each of these enforcement options is explored further below. Pursuant to this model, damages would be awarded for contraventions of certain PIPEDA provisions, without the requirement for a claimant to prove an actual loss stemming from the contravention. A range of damage awards could be prescribed, setting out minimum and maximum amounts for contraventions of specific provisions.
Within that range, courts may assess damages based on a number of explicit factors to be taken into consideration. From a policy perspective, statutory damages are appropriate in situations in which it is difficult or impossible for a plaintiff to prove a quantifiable loss as a result of a contravention of the law.
Increased certainty with respect to damage awards that may be available can encourage plaintiffs to enforce their rights before the Courts in appropriate circumstances and discourage plaintiffs with unrealistic expectations from pursuing court action.
Greater certainty in law is also beneficial for organizations in that they will know what they may face and be better able to evaluate risks and predict outcomes.
Statutory damages may be able to accomplish similar policy goals as administrative monetary penalty AMP regimes in terms of encouraging organizations, by means of financial incentives, to comply with PIPEDA. However, there are some significant differences. First, statutory damages could be awarded to aggrieved individuals, whereas AMPs are normally payable to the Consolidated Revenue Fund.
Second, under a regime of statutory damages, the Federal Court would continue to be the arbiter of damage awards within the parameters set out in statute according to well-established experience and litigation procedures. The Copyright Act contains a statutory damages regime for infringement of copyright. This regime was amended in , establishing minimum and maximum awards for non-commercial and commercial infringements. This is a noteworthy development in that Parliament has already considered it appropriate to create a statutory damages regime applicable to PIPEDA for specific contraventions.
Order-making powers would allow the Commissioner to issue a binding order to an organization to either do, or cease to do, certain things, in order to redress consequences of a contravention, or to prevent one.
In other words, the Commissioner would be able to order what she can now only recommend. For its part, the organization could avail itself of judicial review. The scope of provisions over which the Commissioner would be afforded order-making powers would be a question of legislative policy.
Under those laws, orders can be issued to the private sector with respect to certain actions. The Commissioners in those provinces also have other functions that enable them to perform multiple roles, such as educator; adjudicator; enforcer; advocate and so on. Administrative monetary penalties AMPs are civil penalties or fines that may be issued in response to non-compliance with the law. An AMP is not intended to be punitive.
Its intent is largely to encourage compliance, or conversely deter non-compliance, through financial incentives. AMPs are imposed by the agency administering the statute, not the courts.
If not paid, they become debts to the Crown that may be collected by means of civil action in the courts. The decision to impose an AMP, like any other administrative agency decision, would be subject to judicial review. AMPs may be considered a distinct instance of an order-making power, but differ from other binding orders in that they oblige the organization to pay a defined sum of money.
Statutory AMP schemes typically specify the standard of proof to be on a balance of probabilities and set out maximum and minimum amounts; they may also include a list of criteria to be used in determining the size of the AMP, or grounds which may or may not be invoked as defenses in AMP proceedings. Statutory AMP schemes are sometimes also characterized by specific procedural requirements, timeframes and review or appeal mechanisms.
FINTRAC, for example, was created in to detect, prevent and deter money laundering and terrorist activity financing. Unlike its partners in the enforcement of CASL, the OPC does not have the ability to seek or impose administrative monetary penalties as an enforcement tool.
Of the other Agents of Parliament, the Conflict of Interest and Ethics Commissioner has the power to levy an AMP on reporting public office holders who do not meet certain reporting requirements under the Conflict of Interest Act.
The vast quantities of personal information in the hands of organizations can create serious risks to the privacy of the individual. To be sure, such breaches are not new. What has changed, however, even since the first review of PIPEDA began in , is the nature, scope and scale of the information at risk Footnote They risk undermining identity protections and reputation, and they can be expensive for all parties to clean up.
Over the past few years, there have been a number of high-profile data breaches both in Canada and abroad that compromised the personal information of Canadians. There can be many harms stemming from such breaches, including identity theft, financial loss, negative credit ratings, and even physical harm.
While there is some research that suggests that, overall, organizations are expected to increase IT security spending to protect their data assets from theft and attack Footnote 24 , other research suggests that organizations, particularly those in Canada, are not focusing enough resources in this area Footnote We think more attention needs to be paid to these issues.
Require organizations to report breaches of personal information to the Commissioner and to notify affected individuals, where warranted, so that appropriate mitigating measures can be taken in a timely manner.
While some choose to voluntarily report, as well as inform individuals of the breach in appropriate cases , many do not, leaving affected individuals at risk. Until there is a mandatory notification requirement, which can bring the number, nature and size of privacy breaches out in the open, the full picture remains opaque. What is clear, however, is that the current situation creates an uneven playing field for organizations.
Those that report may face reputational damage and the expense of cleaning up, while those that do not report may potentially escape with no negative effects on their reputation or bottom line. In recent years, other international jurisdictions have developed new approaches to dealing with serious privacy breaches and have taken measures to shore up their privacy frameworks. For example, the United States has been a leader in developing mandatory breach notification legislation, with most states having passed mandatory notification legislation.
As noted earlier, the United Kingdom also has the ability to fine organizations in relation to serious breaches. All member states in the European Union are required to implement breach notification laws with respect to telecommunications companies and other providers of electronic communications services.
The proposed European Union Regulation would expand this to cover other organizations. In addition to making it mandatory for organizations to report breaches to the OPC and to inform individuals in accordance with applicable thresholds, the failure to notify should be made a reviewable provision, along with the failure to establish security safeguards, and subject to stronger enforcement, as described Section 1, above.
Paragraph 7 3 c. At present, under this provision, companies have the discretion to challenge or refuse such requests under PIPEDA; many have done so where they believe the requesting authority ought to first obtain a court authorized order. However, others may be less resistant given the broad language of paragraph 7 3 c. We have no way of knowing for certain the number, scale, frequency of, or reasons for, such disclosures although we understand that they are substantial.
An organization cannot require a person to provide consent to the collection, use and disclosure of personal information a precondition to providing services unless the collection, use or disclosure of personal information is reasonably required to fulfill the explicitly stated and legitimate purposes. Consent may be express or implied, oral or written. The appropriate form of consent will depend upon the circumstances and the sensitivity of the personal information in question.
Ensure that personal information in their possession, power and control is kept up-to-date and accurate in order to minimize the possibility that inaccurate information is used to make a decision about an individual. This responsibility must be tempered, however, with an organization's responsibility not to routinely update information unless it is necessary in order to fulfill the purposes for which the information was collected.
These conflicting requirements will require organizations to reevaluate their data retention policies. Develop and implement a Privacy Policy that is consistent with the Model Code's 10 principles and which sets out the organization's purpose for collecting, using and disclosing personal information and sets out the measures taken for ensuring the safe-keeping of such information.
The Privacy Policy must also provide a mechanism for individuals to access their personal information and provide a mechanism for making and responding to inquiries and complaints.
The Privacy Commissioner encourages organizations to ensure that the designated Privacy Officer is a member of senior management. Publicize its Privacy Policy and the identity and contact information of the individual Privacy Officer. An organization must also publicize the kinds of personal information it holds, how it can be accessed and what types of personal information it provides to third parties, including its subsidiaries and or parent company.
Implement security measures to protect the personal information in their control. Such security measures must take into account protecting both hard copies as well as electronic copies of personal information from theft and other unauthorized access, disclosure, use or modification. Where a complaint is brought to the Privacy Commissioner, s he may conduct an investigation of the organization that is the subject of the complaint upon being provided with reasonable grounds that there has been a privacy violation.
Where the Privacy Commissioner has reasonable grounds to believe that an organization is contravening PIPEDA, s he also has the right to audit the personal information practices of an organization at any time upon providing reasonable notice. Where a complainant is not satisfied with the Privacy Commissioner's handling of the complaint s he may , within 45 days of receiving the Privacy Commissioner's report, file an application with the Federal Court.
At the moment, the only province with comprehensive privacy legislation that has been deemed substantially similar to PIPEDA is Quebec. Some of the other provinces have either enacted private sector privacy legislation British Columbia or have legislation pending Alberta but none have yet received approval from the federal government that the legislation is substantially similar. In addition, some provinces have enacted sector specific private sector privacy legislation.
For example, Manitoba, Alberta and Saskatchewan all have enacted legislation that deals with the privacy of personal health information. As such, in these provinces, one must take into consideration both PIPEDA and the provincial, health specific privacy legislation. There is no time to waste. If not already underway, organizations must immediately appoint a Privacy Officer and conduct a privacy audit to evaluate how and when they collect, use and disclose personal information so that immediate steps must also be taken to develop and implement a Privacy Policy that will assist the organization in ensuring PIPEDA compliance by January 1, She has a background in litigation but also advises healthcare clients on a broad range of legal and policy issues.
All rights reserved. As of November 1, , organizations subject to PIPEDA that experience a data breach need to determine whether the access or loss of personal information can cause a "risk of significant harm" to individuals.
The new provisions were approved back in as part of S-4, the nation's Digital Privacy Act. The OPC defines harm as "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. PIPEDA doesn't identify specific safeguards orgs can use but does stress that organizations need to ensure personal information is adequately protected.
In order to comply with PIPEDA's new rules, it's important for organizations to have data protection safeguards in place to detect and respond to potential security incidents and to ensure personal information in under their control. The office also has a self-assessment tool to help medium and large organizations form good privacy governance and management.
View the discussion thread. Platform Overview. Popular Topics: Data Protection. Security News. Threat Research.
0コメント