As you know, the federal government last week introduced Bill C-29 to amend the privacy provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA). In this note I want to mention the breach notification rules. Essentially, a person with control of personal information will have to report to the Privacy Commissioner of Canada any ‘material breach’ of confidentiality, and notify affected individuals if ‘it is reasonable to conclude’ that the breach creates ‘a real risk of significant harm’.
The Commissioner is given no express power to order a data holder to notify if the data holder has chosen not to, and no express penalties for failing to report to the Commissioner or to notify the affected individuals.
These provisions have run into some criticism. Here is an excerpt from a recent news report in the Law Times (just quoting the criticisms, and just on data breach notification):
John Lawford, counsel with the Public Interest Advocacy Centre in Ottawa, says the notification clause dealing with privacy breaches falls short because it gives too much power to companies whose data is compromised.
Under the bill, organizations are required to report all “material breaches” to the privacy commissioner. Individuals must receive notification only when the breach poses a “real risk of significant harm,” a standard Lawford says is difficult to meet and even harder to measure. In both instances, it is the organization itself that determines whether the breaches have met those thresholds.
“It leaves too much wriggle room,” Lawford says. “If it’s a borderline case, there’s still a lot of room for them to say, ‘We don’t want to take the hit on this’ and just let it play out and hope people won’t get hurt.”
Still, he hopes the law will spur most companies to improve their security anyway. “At least they can’t ignore it completely as they could in the past,” he says.
David Fraser, who heads McInnes Cooper’s privacy practice group, says the absence of penalties for non-compliance in reporting breaches is a weakness. He notes that while the Office of the Privacy Commissioner can audit a company based on a breach, the new legislation gives it no authority to force businesses to notify consumers, something other jurisdictions, including Alberta, allow for. “I think they’ve come close to striking the right balance but I’m not sure there’s enough of a stick in the proposed legislation to make sure that notification happens.”
David Fewer, director of the Canadian Internet Policy and Public Interest Clinic in Ottawa, was very disappointed by the weakness of the enforcement provisions. “It’s supposed to be a stick that fixes a market failure of companies to invest in secure storage of their customers’ information,” he says. “I can’t think of a weaker piece of security breach legislation.”
But Fraser says the bill may still have the desired effect, even without strong powers, as public awareness of breaches increases and organizations take precautions to minimize the chance of having an episode. “If breach notification is mandatory in every province, except B.C. and Quebec, then we’re going to hear a lot more about these things.”
Are these criticisms well taken?
What is the choice but to have the data holder make the first choice about some kind of disclosure – whether to require a report to the Commissioner or a notification to individuals? One can set up a system by which the Commissioner can order notification (as in Alberta) or by which the Commissioner can suggest notification (as in PIPEDA as to be amended), but unless the data holder tells somebody, or unless particular information is able to be traced back to the holder – not obvious in every breach – then the holder always gets the first cut.
Michael Geist’s blog suggests that California’s statute (the first on this topic) is preferable to the PIPEDA proposals. California, like many US states, just lists particular kinds of information whose disclosure or compromise requires notification: social security numbers, driver’s licence numbers, credit card numbers, and some others.
I had understood that Canadian privacy commissioners preferred a risk-based test to a document-based test.
Industry Canada’s consultation paper of June 2008 used a test of a ‘substantial risk of significant harm.’ The Privacy Commissioner criticized that test as too high, or too hard to meet, or too easy to fall below, depending on your perspective. Alberta reformulated it as ‘a real risk of significant harm,’ and the feds have now followed. (There is also a ‘reasonable person’ test for applying the test. Is that necessary, or would the usual ‘balance of probabilities’ decision-making in common law produce the same result?)
Commentators have noted the lack of direct penalties for failure to notify. The Industry Canada paper of 2008 explained that the Commissioner had a good record of getting her way without direct order-making or penalty powers. There are penalties for disobeying a Federal Court order once the Commissioner obtains one. However, that circumstance may not apply in the provinces and territories – depending perhaps (?) on whether the privacy authority in that province has the power to make orders. If no orders, can there be fines anyway? (and who prosecutes – the police or the privacy authority?) Thus Alberta has a $10,000 fine for an individual who breaches the notification rules, and $100,000 fine (maximum in both cases, not fixed) for corporations that do likewise.
The Alberta statute provides a due diligence defence for prosecutions. “Neither an organization nor an individual is guilty of an offence under this act if it established to the satisfaction of the court that the organization or individual ad the case may be, acted reasonably in the circumstances that gave rise to the offence.” (s. 59(4), PIPA)
Is this a good idea, given the number of tough judgment calls that need to be made in this area? Or does that consideration just lead back to the need for a more easily applied test for the duty to disclose?
Other views on C-29 and breach notification? Will Alberta and Canada together make a strong case for the Uniform Law Conference to follow them in the main lines?