New federal privacy, anti-spam bills get mixed reviews

The government of Canada is receiving mixed reviews for anti-spam and privacy legislation tabled in the House of Commons this week.

The fighting Internet and wireless spam act, which came amidst a flurry of new federal bills last week that included legislation to establish a national securities regulator, was a casualty of prorogation earlier this year despite sailing unanimously through the lower house on third reading. It reappeared this week with only minor tweaks to the previous version and is expected to have a positive reception.

But privacy law experts say a new bill to amend the Personal Information Protection and Electronic Documents Act needs more work. The bill finally implements the government’s 2007 response to a review of the act and was hotly anticipated for its promise of forcing businesses to report privacy breaches in certain circumstances.

The legislation will also increase the number of exemptions to consent for the release of personal data, which aims to make life easier for businesses and government institutions. Companies would be able to release information for business transactions or missing person investigations without notifying each individual concerned.

Tony Clement, the minister of industry, talked up the new bills in a statement last week.

“Canadian shoppers should feel just as confident in the electronic marketplace as they do at the corner store,” he said. “With today’s two pieces of legislation, we are working toward a safer and more secure online environment for both consumers and businesses - essential in positioning Canada as a leader in the digital economy.”

But John Lawford, counsel with the Public Interest Advocacy Centre in Ottawa, says the notification clause dealing with privacy breaches falls short because it gives too much power to companies whose data is compromised.

Under the bill, organizations are required to report all “material breaches” to the privacy commissioner. Individuals must receive notification only when the breach poses a “real risk of significant harm,” a standard Lawford says is difficult to meet and even harder to measure. In both instances, it is the organization itself that determines whether the breaches have met those thresholds.

“It leaves too much wriggle room,” Lawford says. “If it’s a borderline case, there’s still a lot of room for them to say, ‘We don’t want to take the hit on this’ and just let it play out and hope people won’t get hurt.”

Still, he hopes the law will spur most companies to improve their security anyway. “At least they can’t ignore it completely as they could in the past,” he says.

David Fraser, who heads McInnes Cooper’s privacy practice group, says the absence of penalties for non-compliance in reporting breaches is a weakness. He notes that while the Office of the Privacy Commissioner can audit a company based on a breach, the new legislation gives it no authority to force businesses to notify consumers, something other jurisdictions, including Alberta, allow for. “I think they’ve come close to striking the right balance but I’m not sure there’s enough of a stick in the proposed legislation to make sure that notification happens.”

David Fewer, director of the Canadian Internet Policy and Public Interest Clinic in Ottawa, was very disappointed by the weakness of the enforcement provisions. “It’s supposed to be a stick that fixes a market failure of companies to invest in secure storage of their customers’ information,” he says. “I can’t think of a weaker piece of security breach legislation.”

But Fraser says the bill may still have the desired effect, even without strong powers, as public awareness of breaches increases and organizations take precautions to minimize the chance of having an episode. “If breach notification is mandatory in every province, except B.C. and Quebec, then we’re going to hear a lot more about these things.”

Planned exemptions for consent to release data have also raised concerns. The bill expands the ability of organizations to provide personal information to police or other government institutions with the “lawful authority” to ask for them without warrants or court orders. Police had complained that requests for warrants slowed down missing-person investigations and other community policing efforts.

But Fraser says the bill failed to clear up confusion about what exactly “lawful authority” means since some courts have ruled open police investigations don’t amount to it.

In addition, companies would no longer be able to tell people about the release of their data if the institution objects, something that worries Lawford. “If you take that away, who’s watching that there aren’t abuses?” he asks. “That seems to me to go beyond what you need for finding missing persons and so on. I hope the legislators will think of some oversight mechanism where you at least report that you have done one of these requests.”

In the meantime, Fewer says the privacy bill pales in comparison with anti-spam legislation. “It’s a strong piece of legislation and it’s easy to comply with. There’s not piles and piles of red tape. What I like about it is it has some teeth, unlike PIPEDA. That gets the attention of businesses, and they’ll take its provisions very seriously.”

The bill expands the mandate of the three enforcement agencies involved with spam, the Canadian Radio-television and Telecommunications Commission, the Competition Bureau, and the privacy commissioner, and allows them to share information with their counterparts around the world.

The CRTC can penalize violators with up to $1 million in fines for individuals and $10 million for businesses. There’s also a private right of action, based on a similar provision in the United States, allowing consumers to take civil action against violators.

The government says the legislation makes Canada a world leader in the fight against spam. Fewer agrees with that assessment, saying most legislation shies away from blanket bans on spam and spyware by leaving loopholes that spammers quickly learn to exploit.

“They don’t get into the game of saying some forms of spam are fine,” he says. “It says you own your hard drive and you own your inbox, so the only people who will be sending spam are people who you have given permission to or spammers, the bad guy.”

At the same time, Fewer isn’t worried about spammers simply setting up shop elsewhere in the world. “The dark places of the Internet should stay dark corners, and Canada should not be one of them,” he says.