Today, I was pleased and, more correctly, honoured to appear before a Senate Committee to speak with Kara Mitchelmore, the CEO of the MRIA, regarding Senate Bill S-4, the Digital Privacy Act. The official opinion will shortly be available but for those of you who can’t wait, here is the basic gist of it. Any inaccuracies here are my own. 1) Breach notifications should be mandatory, and the Privacy Commissioner should be the unbiased third party that determines what is a real risk of significant harm to an individual. 2) The MRIA supports the provisions in the bill which add clarity to what is valid consent. The committee may be interested in our code of conduct which contains a section on the ethical issues in dealing with children and young people. 3) The MRIA is pleased that PIPEDA will be amended to allow the transfer of personal information from an organization to a prospective purchaser or business partner (think mergers and acquisitions). 4) The MRIA does not support allowing organizations to share personal information of individuals to other organizations without consent. It should follow due process such as through a court order.
5) The MRIA would like to close a loophole which allowed organizations to share personal information without consent to an investigative body or government institution. It should follow due process such as through a court order. After we spoke, Michael Geist, a law professor at the University of Ottawa, made numerous excellent points (Michael’s website). Some of his comments are included here (any errors or misrepresentations are my own).
- desire for a lower standard of what constitutes a breach (i.e., it doesn’t need to be a real risk of significant harm, it can be less than that)
- increased reporting of breaches both major and minor, as well as breaches to unauthorized persons that may not have caused ‘harm’
- the expansion of warrantless disclosure must be removed
- order making powers are necessary
- public reporting of the number of disclosures without a warrant should be made on a quarterly basis and individuals should be notified within a certain period
- What is Vue magazine? #MRX (lovestats.wordpress.com)
- Canada’s Digital Privacy Act lets companies share customers’ personal info, privacy critics warn (blogs.vancouversun.com)
- Can Canada’s Likely New Privacy Commissioner Be Trusted to Watch the Watchers? (motherboard.vice.com)
- Why has the Canadian government given up on protecting our privacy? (thestar.com)
- Peanut Labs Ask-Me-Anything with special guest Jim Bryson (web.peanutlabs.com)
- Peanut Labs Ask-Me-Anything with special guest Tamara Barber (web.peanutlabs.com)