Government of Canada Moves to Enhance Safety and Security in the Online Marketplace
OTTAWA - Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), today announced two steps that the Government of Canada is taking to enhance the safety and security of the online marketplace. Together, the tabling of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the reintroduction of anti-spam legislation in the House of Commons (the proposed Fighting Internet and Wireless Spam Act, or FISA) are important steps towards positioning Canada as a leader in the digital economy.
"Canadian shoppers should feel just as confident in the electronic marketplace as they do at the corner store," said Minister Clement. "With today's two pieces of legislation, we are working toward a safer and more secure online environment for both consumers and businesses - essential in positioning Canada as a leader in thedigital economy."
"Our government believes that personal information should be no less secure when shared online than anywhere else. That is why we are taking steps to ensure it is better protected," said Minister of State Lebel. "These measures will empower and better protect consumers while ensuring that Canadian businesses can continue to compete in the global marketplace."
To address public concerns about the increasing number of data breaches involving personal information, PIPEDA proposes a new requirement for organizations to report material data breaches to the Privacy Commissioner of Canada and to notify individuals where there is a risk of harm. This requirement will complement the government's recently enacted identity theft legislation and encourage better information security practices on the part of organizations.
PIPEDA also proposes amendments related to protecting the privacy of minors and other vulnerable individuals online. Other amendments are designed to clarify and streamline rules for business and support effective investigations by law enforcement and security agencies.
The proposed FISA is intended to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help drive spammers out of Canada.
The proposed FISA legislation provides a comprehensive regulatory regime that uses economic disincentives to protect electronic commerce and is modelled on international best practices. To enforce the legislation, the bill would use the expertise, and expand the mandates, of the three enforcement agencies: the Canadian Radio-television and Telecommunications Commission, Competition Bureau Canada and the Office of the Privacy Commissioner of Canada.
Industry Canada will act as a national coordinating body to increase consumer and business awareness and education, to further coordinate work with the private sector and to conduct research and intelligence gathering.
Government of Canada Introduces Amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA)
The Government of Canada has introduced enhancements to private sector privacy legislation in a bill seeking to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). In doing so, the Government is implementing the Government Response to the first statutory review of PIPEDA and is delivering on a commitment made by the Minister of Industry at the June 22, 2009, forum entitled Canada's Digital Economy: Moving Forward.
In a modern, information-based economy, or "digital economy", a solid, efficient regime for the protection of personal information is vitally important for both consumers and businesses.
To ensure that PIPEDA continues to keep pace with rapid marketplace and technological changes, and their societal impacts, the proposed amendments in this Bill are designed to:
-- protect and empower consumers;
-- clarify and streamline rules for business;
-- enable effective investigations by law enforcement and security
-- make linguistic and other technical drafting corrections.
The proposed amendments will make a significant contribution to the government's efforts to ensure a safe and secure Internet for Canadians. A key proposed amendment would require organizations to report material data breaches of personal information to the Privacy Commissioner of Canada, and to notify affected individuals when the organization deems the breach to pose a real risk of significant harm, such as identity theft or fraud, or damage to reputation. This amendment will not only provide consumers with the information they need to mitigate harm resulting from a breach of their personal information, it will also encourage better information security practices in organizations. This proposed amendment will complement the government's new identity theft law, An Act to amend the Criminal Code (identity theft and related misconduct).
Acknowledging the increasing Internet usage rates of children, Canada is working with a number of international organizations to develop strategies to better protect children online. The Bill proposes an amendment to PIPEDA's consent regime that will provide further protection for children online by requiring organizations to consider the ability of their target audience to comprehend the consequences of sharing their personal information.
The Bill also proposes additional exceptions to allow for the release of personal information to help protect victims of financial abuse, to help locate missing persons and to identify injured, ill or deceased individuals.
STREAMLINING RULES FOR BUSINESS
In its October 2007 Response to the Report of the Standing Committee on Access to Information, Privacy and Ethics, the Government committed to supporting business by providing greater clarity and certainty with respect to key provisions of PIPEDA. The Bill proposes exceptions to consent for the collection, use and disclosure of information needed for, among others, managing the employment relationship, information produced for work purposes ("work product"), and information used for due diligence in business transactions. Organizations will also be able to share and use business contact information that is required to conduct day-to-day business.
In addition, a new provision allowing the disclosure of personal information without consent for private sector investigations and fraud prevention will replace a regulatory process that has been burdensome for small and medium-size organizations.
SUPPORTING EFFECTIVE LAW ENFORCEMENT
Another key thrust of the Bill is supporting effective law enforcement. The Government considers the safety and security of Canadian citizens to be of utmost importance. Proposed amendments will reaffirm the view that the information needs of law enforcement and security agencies can be met while respecting the privacy rights of Canadians. Proposed amendments would make it clear that organizations may collaborate with government institutions, such as law enforcement and security agencies that have requested personal information, in the absence of a warrant, subpoena, or order. To avoid jeopardizing investigations, new provisions would prohibit organizations from notifying an individual about the disclosure of their personal information to law enforcement and security agencies where the government institution to whom the information was disclosed objects.
COMPLETING A PARLIAMENTARY PROCESS
Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use and disclosure of personal information in the course of commercial activity. It has been in force since January 1, 2001, and is mandated to be reviewed by Parliament every five years.
This Bill acts on the Government's October 2007 Response to the Report of the Standing Committee on Access to Information, Privacy and Ethics arising from the first Parliamentary review of the Act. The Government Response addressed each of the 25 recommendations contained in the Committee's report and committed to amending the Act in agreement with many of the Committee's recommendations.
In its report, the Committee recognized that the Act is working well and does not require major changes at this time. The Committee recommended the "fine-tuning" of some of the Act's provisions and encouraged increased harmonization with provincial privacy laws.
Industry Canada, which administers the Act, conducted formal consultations with stakeholders in order to further develop and define options for implementing the Government Response to the Committee report. The Government received 76 written submissions, and officials held more than 25 meetings involving a wide range of stakeholders including business, consumer and privacy advocates, the Privacy Commissioner of Canada, provincial governments and law enforcement authorities.
Where possible, the proposed amendments take into consideration approaches taken in provincial privacy laws.
Government of Canada Reintroduces Anti-spam Legislation
On May 25, 2010, the Government of Canada reintroduced anti-spam legislation, entitled the Fighting Internet and Wireless Spam Act (FISA). Effective anti-spam legislation is critical to position Canada as a leader in the digital economy and, by reintroducing FISA, we are working to provide a more secure online environment for consumers and businesses.
Since the bill was originally introduced in April 2009, amendments have been made to address legitimate concerns brought forward through witness testimony during the review of the FISA by the House of Commons Standing Committee on Industry, Science and Technology (INDU) during the last session of Parliament. The FISA reflects the bill passed by the House of Commons on November 30, 2009, but contains some additional technical and coordinating amendments.
The Internet has become the primary platform for online commerce and general communications. The online marketplace represents a major segment of Canada's economy, with $62.7 billion in sales in 2007. According to the International Data Corporation in 2007, worldwide electronic commerce has been projected to exceed $9.6 trillion in 2010.
At the same time, there has been an enormous increase in the vulnerabilities of, and threats to, the Internet and online commerce. According to the MessageLabs Intelligence: 2009 Annual Security Report, nearly 90 percent of worldwide email traffic was spam, imposing costs on consumers and businesses as they interact in the digital economy.
The bill establishes a multi-faceted approach to enforcement that protects consumers and businesses alike with a clear regulatory enforcement regime consistent with international best practices. This legislation will make Canada a world leader in anti-spam measures.
An important component of the proposed FISA is the enforcement regime whereby the Canadian Radio-television and Telecommunications Commission (CRTC), Competition Bureau Canada and the Office of the Privacy Commissioner would be given the authority to share information and evidence with their counterparts that enforce similar laws internationally in order to pursue violators beyond our borders.
The proposed FISA would enable the CRTC to impose administrative monetary penalties (AMPs) of up to $1 million per violation for individuals and $10 million for businesses. The Competition Bureau Canada, through application to the Competition Tribunal, may seek AMPs under the current AMPs regime in the Competition Act. That regime allows for penalties of up to $750 000 for individuals and $1 million per subsequent violation, and up to $10 million for businesses and $15 million per subsequent violation. The Office of the Privacy Commissioner would use its existing tools and enforcement framework to enforce the provisions of this legislation. The bill also proposes that the Privacy Commissioner's powers to cooperate and exchange information with her international counterparts be expanded under the Personal Information Protection and Electronic Documents Act (PIPEDA).
This bill proposes a private right of action, modelled on U.S. legislation, which would allow consumers and businesses to take civil action against anyone who violates the FISA. The proposed technology-neutral approach allows all forms of commercial electronic messages to be treated the same way. This means that the proposed bill would also address unsolicited text messages, or "cellphone spam," as a form of "unsolicited commercial electronic message."
During the last session of Parliament, the bill received unanimous support in the House of Commons at third reading, and INDU heard from diverse witnesses representing enforcement agencies, industry associations, Internet service providers, consumer groups, marketers and the financial sector.
Moving forward, Industry Canada will act as a "national coordinating body" in order to expand awareness of the law and educate consumers, network operators and small businesses, coordinate work with the private sector and conduct research.
The government also intends to create a spam reporting centre that will work with the three enforcement agencies (the CRTC, Competition Bureau Canada and the Office of the Privacy Commissioner), engage in public awareness, identify and analyze trends in online threats and engage in public awareness.
Businesses will benefit from improved protection against threats to the network and from consumers' strengthened confidence in the online marketplace.