Interview with Theo Ling
December 2007
Interviewee: Theo Ling, Partner, Baker & McKenzie
Subject: Understanding Standing Committee Recommendations and the Government Response for the PIPEDA Review
Nymity: What was the role of the Standing Committee and when did they make their recommendations to the Government?
Ling: Pursuant to Section 29 of PIPEDA the privacy-related provisions of Act are to be reviewed by a designated committee of the House of Commons every five (5) years and such committee is required to submit a report ("Report") to Parliament stating its recommended changes to PIPEDA. As part of this inaugural statutory review of PIPEDA the Committee heard from 67 witnesses between November 20, 2006 and February 22, 2007 and received 34 submissions from additional individuals and organizations. In May 2007, the Committee submitted its Report. The Conservative government considered the Committee's 25 recommendations over the summer and published its response ("Government Response") to the Report in October 2007.
Ling: I was recently asked to provide an overview and analysis of the recommendations made in the Report and addressed in the Government Response. I prepared the Chart as a visual tool to help the audience more easily understand the context and scope of the discussion that took place as well as to highlight some of the possible changes to PIPEDA that we might expect over the course of the year ahead.
A number of noteworthy observations that can be made from looking at the Chart:
First, one can see that most of the recommendations benefit organizations or organizations/data subjects as opposed to data subjects only. This is perhaps not surprising given that businesses represented a majority of the witnesses and parties that made a submission to the Committee. The only two areas where data subjects are clearly the main beneficiary of the recommendations is in the context of minors consent and breach notification issues.
Second, most of the recommendations that pertain to the fine-tuning of consent standards and consent exemptions support the view that there should be greater harmonization of PIPEDA with one or more of the provincial private-sector privacy laws that have been deemed to be substantially similar to PIPEDA.
Third, the Government Response was generally in line with the sentiments of the Recommendations and only deviated from the Recommendations in cases where the government feels that: (i) the identified issues can be addressed in ways other than by amending the statute (eg. by regulation or through issuance of guidance documents), (ii) the privacy commissioner's office lacks the resources to support the recommendation (eg. Commissioner to decide when data subjects need to be notified of a breach), or (iii) there is not yet adequate public consensus or court guidance on the issue (eg. treatment of workplace personal information / denial of access to personal information based on a client/solicitor claim).
Nymity: Based on the Government's response, which recommendations have the largest potential impact to corporations subject to PIPEDA?
Ling: It is clear from both the Report and the Response that there is overwhelming support for PIPEDA's "principles-based" approach, which seeks to balance the privacy rights of individuals and the legitimate needs of business organizations to manage their information holdings. In this regard, we should expect a fine tuning of PIPEDA as opposed to a fundamental change in direction or philosophy. While many privacy advocates hoped for stronger data subject rights, one area where we will certainly see an evolution of the law, which will have a significant impact on both organizations and data subjects, is with respect to security breach notification requirements and protocols.
Nymity: What is the importance of defining "Work Product" and "Business Contact Information"?
Ling: As mentioned earlier, one of the themes of in the Report is greater harmonization of PIPEDA with "second generation" provincial privacy laws (that is, the laws that were introduced after PIPEDA). As the drafters of the second generation privacy laws had an opportunity to assess the application of PIPEDA to real world scenarios prior to putting forward their own law, those laws are arguably written in a more pragmatic and practical manner. One type of data that businesses feel should not be subject to the same standard of regulation is information that may identify an individual but is essentially business contact information or part of work product generated by employees for the organization. If the recommendations in this area are adopted, the scope of what will constitute "personal information" for the purposes of determining compliance obligations will be narrowed.
Nymity: Based on the Government's response, what are the potential changes to consent?
Ling: It is quite likely that we will see an expansion of scenarios where consent will need not be obtained; particularly with regard to the use of employee personal information in certain work-related scenarios and disclosures made in furtherance of a business transaction or in a family or emergency scenario.
Question: Now that the Government has responded to these recommendations, what will happen next?
Interestingly, the Government feels that there is not yet enough consensus on a few of the recommendations and as such has called for another round of public input. The public has until January 15, 2008 to make further submissions to Industry Canada.
Nymity: In closing, should an organization take any steps to prepare for amendments to PIPEDA, or should they wait?
Ling: I think that it would be advisable for all organizations to brush up on the current privacy breach notification guidelines published by the data authorities and to start developing and implementing protocols for responding to breach situations in line with such guidelines. The actual amendments to PIPEDA may not result in a broad range of mandatory notification scenarios but the onus on organizations to act responsibly in each case of a security breach is arguably already upon us along with the associated business risks.
|
