In the slew of announcements from the Digital Canada 150 strategy today, measures to protect privacy weren’t forgotten – while details about updates to privacy legislation were scant, it was made clear the government will pursue a new requirement that firms report data breaches to the Privacy Commissioner of Canada.
Speaking from Waterloo, Ont. on Friday, Industry Minister James Moore said he would be in the House of Commons next week to unveil new legislation called the Digital Privacy Act. The act is designed to be an update to the Personal Information Protection and Electronic Documents Act (PIPEDA), he said. After referencing the recent Target data breach, Moore gave one clue about what to expect in next week’s legislation.
“What we will put in place in this legislation is a mandate that firms that have this private personal information, if there’s any data breach, they can’t sit on it, they have to immediately inform those customers,” he said. “They have to tell them about the mitigation taking place to protect the information and they have to inform the privacy commissioner.”
Moore added the Office of the Privacy Commissioner of Canada would be getting new powers and responsibilities to protect Canadians’ privacy online. Though he did not outline exactly how the privacy commissioner’s role would change, he indicated the Digital Privacy Act wouldn’t dramatically change the office’s role.
A private member’s bill previously brought to the House of Commons “went too far in my view in providing prosecutorial powers to the privacy commissioner. This one doesn’t do that,” he said. “It provides new tools, but it still provides the ombudsman role for the privacy commissioner.”
In an emailed statement, a spokesperson for the privacy commissioner said the office was also still waiting on more information.
“What we can tell you at this point is that we are encouraged by this morning’s announcement and look forward to seeing the details. For some time now, our Office has been saying that PIPEDA needs to be updated to better protect the privacy rights of Canadians and ensure consumer trust in the digital economy,” the email read, adding the law needs to be modernized for stronger powers for enforcement, as well as a mandatory policy getting companies to report data breaches when they occur.
What remains to be seen is the exact wording of the legislation for both data breach reporting and the privacy commissioner’s role, said John Lawford, executive director of the Public Interest Advocacy Centre (PIAC).
“It’s not very clear. Aside from vaguely defined enforcement powers, we don’t know how it will translate,” he said. “During the question and answer part after, Moore did say the [privacy] commissioner can’t be proactive, and won’t be an inquisitor … But the wording is all important.”
Like the privacy commissioner’s office, one thing PIAC is hoping for is a policy where businesses must inform the privacy commissioner if they’ve suffered a data breach. Right now, that’s a voluntary action – but PIAC wants the privacy commissioner to be able to fine businesses if they fail to say anything.
Still, for a strategy that was four years in the making, the lack of detail was disappointing for David Christopher, communications manager of OpenMedia.ca. Nor was he optimistic about the kind of new powers the privacy commissioner would be receiving.
“He seemed to downplay the prospect of giving the privacy commissioner extra powers,” Christopher said. “It seems like that’s not going to be beefed up the way it needs to be.”