Canadian Internet Policy and Public Interest Clinic (CIPPIC)

Search

• 2.1: About Us
• 2.2: CIPPIC Publications
• 2.4: Events & Presentations
• Projects and Cases
  • 2.5.1: Consumer Protection Online
  • 2.5.2: Copyright law reform
  • 2.5.4: File-Sharing Lawsuits
  • 2.5.5: Identity Theft
  • 2.5.6: Lawful Access
  • 2.5.7: On the Identity Trail Project
  • 2.5.8: Other
  • 2.5.9: Privacy
  • 2.5.10: Spyware
  • 2.5.11: Telecom Policy
• FAQs & Resources
  • 2.6.1: Access to Information Laws
  • 2.6.2: ACTA
  • 2.6.3: Behavioural targeting
  • 2.6.4: Bill C-60: Copyright Bill 2005
  • 2.6.5: Bill C-61: Copyright Bill 2008
  • 2.6.7: Biometrics
  • 2.6.8: Broadcast Flag
  • 2.6.9: Copyright Law
  • 2.6.10: Defamation and SLAPPs
  • 2.6.11: Digital Rights Management
  • 2.6.12: Domain Name Disputes
  • 2.6.13: Domain Names
  • 2.6.15: File Sharing
  • 2.6.16: Internet Accessibility
  • 2.6.17: Identity Theft
  • 2.6.18: Internet Censorship in Public Libraries
  • 2.6.19: Lawful Access
  • 2.6.20: National ID Cards
  • 2.6.21: Net Neutrality
  • 2.6.22: Online Anonymity and John Doe lawsuits
  • 2.6.23: Open Source
  • 2.6.24: Podcasting Legal Guide
  • 2.6.25: Privacy
  • 2.6.26: Public Video Surveillance
  • 2.6.27: RFIDs
  • 2.6.28: Social Networking
  • 2.6.29: Spam
  • 2.6.30: Spyware
  • 2.6.31: Workplace Privacy
  • 2.6.32: Trusted Computing
• 2.7: For Students
• 2.8: Links
• 2.9: Support CIPPIC
• 2.10: uOttawa Law & Technology Program
• 2.11: Contact Us
• 2.12: Privacy Policy
• 2.13: Test Page

Privacy Legislation and Regulation

• Security Breach Notification
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Regulations exempting organizations subject to 'substantially similar' provincial laws
  
• Regulations specifying 'Investigative Bodies' under PIPEDA
• The Privacy Act
• Privacy Oversight Bodies

---

Security Breach Notification

CIPPIC has been at the forefront of efforts to legislate a data security breach notification requirement in Canada.  Beginning in March 2005, when the huge Choicepoint data breach in the USA became public, CIPPIC has advocated for laws requiring organizations to notify authorities and affected individuals when personal information is exposed to potential abuse.  In January 2007, CIPPIC issued a White Paper on this issue, canvassing US data breach notification laws and proposing approaches for Canada to take.  In 2008, CIPPIC argued for a public data breach registry to complement individual notifications and Privacy Commissioner monitoring.

CIPPIC News Release on Choicepoint data breach (March 2005)
CIPPIC comments to Consumer Measures Committee on ID Theft (Sept 2005)
CIPPIC Submission to Parliamentary Committee on PIPEDA Reform (November 2006)
CIPPIC White Paper on Approaches to Security Breach Notification (January 2007)
CIPPIC Submission to Industry Canada on PIPEDA Reform (January 2008)
CIPPIC Comments on Industry Canada's Proposed Model for Breach Notification (April 2008)

Personal Information Protection and Electronic Documents Act ("PIPEDA")

PIPEDA is Canada's federal private sector data protection legislation. It applies to all federally regulated works and undertakings, as well as provincially regulated private sector organizations in provinces and territories other than Quebec, Alberta, and B.C. (that have their own, similar, laws). See our FAQs on PIPEDA for more information.

PIPEDA Review

PIPEDA was scheduled for Parliamentary review in 2006 (five years after coming into force). In September 2006, CIPPIC filed comments with the federal Privacy Commissioner on a variety of issues regarding PIPEDA, in response to her call for input regarding the upcoming Parliamentary review. Parliament began its review of PIPEDA on November 20, 2006, via the House of Commons Standing Committee on Access to Information, Privacy and Ethics.  CIPPIC filed a "written submission": with the Parliamentary committee in November, 2006, making 20 recommendations for legislative amendments, and appeared before the Committee on Dec.6th, 2006. The Committee heard from numerous stakeholders, and issued its report on May 2nd, 2007.

The federal government responded to the Committee report in October 2007, and then issued a public notice inviting comment on the specifics of implementating a data breach notification provision, as well as on the concepts of "work product" and "lawful authority". Other issues on which public input is being sought include witness statements, consent by minors, investigative bodies and the extent to which elements contained in the health-related PIPEDA Awareness Raising Tools (PARTs) document may be set out in legislative form.  Comments are due by January 15th, 2008, and can be sent by email to PIPEDAconsultation@ic.gc.ca.

• Schedule of Hearings, Meeting Notes and Transcripts
• Submissions to Parliamentary Committee on PIPEDA Review (Oct.2006 - Feb.2007)
  
• CIPPIC White Paper on Security Breach Notification
• ETHI Committee Report (May 2007)
  
• CIPPIC response to ETHI Committee report (9 May 2007)
• Government response to ETHI Committee report (Oct 2007)
• Consultation on Implementation of Government Response (Oct 2007)
  

Submissions to Industry Canada on PIPEDA Review (Jan 2008)
-    CIPPIC submission
-    Privacy Commissioner of Canada submission
-    PIAC submission
-    Adam Shostack submission
-    Other submissions (posted on Industry Canada website)

Regulations exempting organizations subject to "substantially similar" provincial laws

In response to Industry Canada's February 2005 call for comments on its proposed exemption order under PIPEDA for health information custodians in Ontario, CIPPIC filed comments pointing out a substantial difference between the federal and provincial privacy regimes, in respect of permitted disclosures of personal health information for research purposes, without the patient's consent. Under PIPEDA, certain important criteria must be met. Under the Ontario legislation, such criteria need only be "considered" by a research ethics board.

Regulations specifying "Investigative Bodies" under PIPEDA

Protection of Personal Information and Electronic Documents Act ("PIPEDA") - Regulations Specifying Investigative Bodies: In November 2003, CIPPIC submitted comments on proposed amendments to the regulation designating "investigative bodies" under PIPEDA. Under the Act, designated "investigative bodies" can receive and disclose personal information without the knowledge or consent of the individuals concerned. CIPPIC's comments focused on the need for more rigour in the granting of this status, as well as specific concerns regarding the application by Teranet Services Inc.

 

The Privacy Act

The Privacy Act is a federal statute governing the federal government's treatment of personal information.  It was passed in 1983, before the revolutionizing effects of computer technology on information processing and privacy. Despite repeated calls by Privacy Commissioners, the Act has not yet been updated to take into account new privacy threats.  The House of Commons Standing Committee on Access to Information, Privacy and Ethics began a review of the Privacy Act in the spring of 2008.

Privacy Commissioner of Canada, Government Accountability for Personal Information; Reforming the Privacy Act (June 2006)
Privacy Commissioner of Canada, Addendum to June 2006 report (April 2008)
Privacy Commissioner of Canada, Proposed Immediate Changes to the Privacy Act (April 29, 2008)

CIPPIC, Submission to the ETHI Committee on the Privacy Act (May 2008)

Privacy Oversight Bodies

In the summer of 2005, the Prime Minister appointed retired Supreme Court Justice Gerard LaForest to assess the merits of merging the currently separate Offices of the Information and Privacy Commissioners of Canada. The rationale for such a merger was not made clear. Along with other privacy advocates, CIPPIC opposes the merger on the grounds that it would weaken privacy protection in Canada at a time when stronger privacy protection is needed. CIPPIC sent a letter to Justice LaForest in October 2005, opposing the merger.

CIPPIC letter to Justice LaForest
Prof. Colin Bennett's letter to Justice LaForest
Ken Rubin's article in The Hill Times

Back to top

This page last updated: June 2, 2007

Webpage URL: http://www.cippic.ca/documents/privacy/legislation/