Privacy violations highlight the need for law reform
Earlier this week, the Office of the Privacy Commissioner of
B.C. (OIPC BC) and the Office of the Privacy Commissioner of Canada (OPC) released
a joint investigation report that found a B.C. company violated B.C.’s
provincial and Canada’s federal privacy laws.
While conducting business on high-profile campaigns in the
U.K., the U.S., and in Canada, the report states
that AggregateIQ did not comply with the consent provisions in B.C.’s Personal Information Protection Act (PIPA)
and Canada’s Personal Information
Protection and Electronic Documents Act (PIPEDA), and did not employ
reasonable security safeguards.
The report makes two recommendations in order for the
offending company to become compliant with Canadian privacy laws:
- That they take measures to ensure that the
consent that they have received to collect, use, and disclose personal
information is in compliance with PIPA and PIPEDA;
- And that they employ reasonable security
safeguards to protect the personal information in their control.
The OIPC BC and the OPC will collect evidence from the
company in approximately six months to confirm that the recommendations have
been implemented and that the company is now compliant.
Fines are the international standard for privacy enforcement
This response highlights the need for Canadian regulatory
bodies to have the power to issue fines when they find organizations to be in
violation of Canadian law.
When asked why no fines were issued despite the
investigation finding the company to have violated Canadian privacy laws, the Information
and Privacy Commissioner for B.C., Michael McEvoy said: “There are no fines
because we do not have the authority to levy fines.”
Absent amongst the international media attention that this report received, is the observation that Canada’s privacy regulators are powerless to enforce privacy laws through fines.
International regulators are using their fining powers to
compel compliance to great effect. Examples include the Federal Trade
billion civil penalty against Facebook, and the Information Commissioner
Office (ICO) in U.K.’s intention to fine British Airways more
than £183 million.
In fact, the ICO in the U.K. has a
standing enforcement notice against AggregateIQ, threatening fines of up to
20 million Euros should the company not comply with their notice within 30 days
of the conclusion of the joint OIPC and OPC investigation.
This leads one to wonder if AggregateIQ is implementing the
recommendations of the OIPC BC and OPC out of good faith, or because they face
the threat of significant fines from an international regulatory body.
Canadian regulators need fining power to protect privacy
“At the end of the day, privacy, and the legislation that governs it, needs to be brought into the 21st century where the realities of cross-boundary data sharing leave much to be coveted in terms of protections for personal information,” says Joyce Yan, BC FIPA’s Interim Executive Director.
“We have been a longtime advocate for increasing the Commissioners’ powers, but with the case of AggregateIQ, it has become clear that order-making powers (a tool the federal Privacy Commissioner still doesn’t have in his toolkit) is simply not enough. The provincial and federal privacy laws are antiquated, and we are falling behind our foreign counterparts.”
We strongly urge our fellow privacy advocates to join us as we continue to push for law reform that gives Canadian regulators the power necessary to protect privacy and compel compliance.