STRATFORD, Ont. — Twenty years after it was first passed the federal privacy law that covers the private sector urgently needs to be overhauled with “cutting-edge” standards, says an Internet law expert.
Since the Personal Information Privacy and Electronics Documents Act (PIPEDA) was passed, Ottawa has been reactive and not proactive to the changes in technology and how people use it, law professor Michael Geist of the University of Ottawa told the annual conference for infosec members of the Municipal Information Systems Association of Ontario here this week.
One example: Updating PIPEDA to make reporting breaches mandatory was first proposed in 2007. It was passed in 2015, but will only come into effect today.
Another: The European Union’s General Data Protection Regulation (GDPR) came into effect in May, but the government hasn’t acted yet to updated PIPEDA to make sure it complies with the new EU law.
“Public concern with privacy has become increasingly pronounced,” he said, calling it “a global phenomenon.”
At a time when Ottawa is drafting a national data strategy for making Canada a data leader “we can’t think about a national data strategy without also thinking about the privacy and security-related issues,” Geist said.
We have to do it by also ensuring “we’ve got forward-looking, cutting-edge privacy and security standards.”
In fact, just as some websites had a digital clock earlier this year counting down the hours until the GDPR came into effect, Canada should have a digital clock for passing PIPEDA 2.0 with “new updated rules that factor in the myriad of challenges as well as opportunities that technologies bring from a privacy and security standpoint.”
In an interview Geist said he’s hopeful the government will act. “This is emerging as a prominent issue that will be harder for political parties to ignore,” he said. “I was struck by the reaction government got to its electoral reform bill [C-76, which says federal political parties have to detail their data privacy policies but doesn’t force them to comply with PIPEDA] and the absence of stronger (privacy) standards for political parties.”
A parliamentary committee has recommended parties have to comply with PIPEDA, but the government has only said it will study changing the law.
As pressure on privacy issues increase “I think politicians can try to sidestep issues,” Geist said, “but the ones that want to be re-elected have to be responsive to where public sentiment is, and I think public sentiment is moving more strongly in that direction.”
He also believes the EU will decide PIPEDA isn’t similar enough to the GDPR, which will also squeeze Ottawa to update our law. While the EU has said its review will take a year or so, Canada shouldn’t wait to act, Geist said.
“If we wait for a non-adequacy finding it would be a huge blunder. That’s one area where we have to be proactive rather than reactive.”
An updated PIPEDA, he suggested, should oblige companies collecting personal data to get clear consent from users, to force companies to be more transparent about the personal data is collected and handed over to law enforcement (“Bell still doesn’t disclose how many information requests they get [from police] on an annual basis), to increase the powers of the federal privacy commissioner.
It should also deal with and the challenges of handling anonymized information in a ‘big data’ environment, where, due to analytic tools it might be possible to re-identify data.
Even a search engine running across the Internet, combined with other publicly-available information, might be able to re-identify a person, he said.
There are a number of privacy laws across the country, he noted – PIPEDA applies only to the private sector, the federal Privacy Act applies only to the federal government, many provinces have their own health and municipal privacy acts. But, Geist said, this siloed approach may not be appropriate any more.
“Some of the kinds of standards we’ve established to divide what’s in and what’s out [of privacy laws] may be far less effective today than they once were.
“When we have different standards in those rules, when the data traverses so easily between private and public we’ve got to think more broadly about what sort of privacy safeguards do we want in the country.”