If it ain’t broke…
That’s essentially what the CBA told the Access to Information, Privacy and Ethics Committee in March about the existing consent model in PIPEDA – the Personal Information and Protection of Electronic Documents Act that was enacted in 2001.
In a March 23 appearance before the committee to present a joint submission from the CBA National Privacy and Access Law Section and the Canadian Corporate Counsel Association, Suzanne Morin said that, with a couple of exceptions, the status quo is quite acceptable.
“The CBA Sections generally support maintaining the existing consent and ombudsperson models in PIPEDA in the absence of a compelling need for legislative change, while carefully monitoring Canada’s EU adequacy status,” the submission says “Within these existing models, PIPEDA and its regulations should be amended to ensure they are technology neutral and allow the (Office of the Privacy Commissioner) to issue non-binding advance opinions.”
The CBA Sections offered up five recommendations, including maintaining the existing consent model, which is “robust in its protection of the privacy of Canadians;” maintaining the existing OPC’s ombudsperson role; and monitoring legislative developments in the EU to ensure that Canada retains its partial adequacy status, which has enabled the transfer of personal information from the EU to Canadian organizations that are subject to PIPEDA without requiring any other mechanisms to safeguard privacy.
Where the CBA recommends changes is in the regulations that accompany PIPEDA to make them technology neutral “and able to accommodate both existing and evolving business models and customer expectations.”
“PIPEDA was carefully drafted to be technology neutral,” the submission says. “However, unlike PIPEDA, the Regulations that were published subsequently missed the mark, and have created uncertainty. Exemptions included in the Regulations have been unable to keep up with changes in technology, with how organizations communicate with individuals, or how they use information that individuals have chosen to make public.”
The submission also recommends amending PIPEDA to allow the Office of the Privacy Commissioner to issue non-binding advance opinions to organizations proposing new programs, technologies, methodologies, or specific transactions. Currently, the OPC doesn’t provide organization-specific opinions unless there’s an investigation or an audit.
“Stipulating this express authority would make it clear that the OPC is expected to perform this function when approached by an organization, and support the allocation of resources to it.”