Canadian privacy officials are hoping to tighten the country's more-than-decade-old privacy law, right as reports emerge that the U.S. government is engaged in the mass collection of data on its residents, a two-person panel told attendees Wednesday at SC Congress Canada in Toronto.
PIPEDA, or the Personal Information Protection and Electronic Documents Act, became law in Canada in April 2000, but hasn't been updated to address modern day, as it predates the rise of data repositories such as Facebook.
That's why Privacy Commissioner Jennifer Stoddart is making a renewed push to reform the bill, evidenced last week in her annual report to Parliament.
Panelist Jason Lin, CSO of Ontario Telemedicine Network, a nonprofit that provides video conferencing-based care to hospital patients, said Stoddart wants to beef up enforcement. Right now, organizations that expose records can voluntarily report the incident to customers, but are not required.
This distinction becomes particularly important in the wake of news that the the U.S. National Security Agency is running a surveillance program known as Prism that, according to The Guardian newspaper, has direct server access to internet behemoths such as Google, Apple and Facebook, though many of these companies have disputed that is the case.
Still, the program, no matter how exactly it is set up, has raised concern among people like Stoddart, who wants to see automatic reporting when an organization is asked for records.
"All she is saying is listen, if [there is going to be] this warrant-less seizure of data, at least let the [Canadian] public know," Lin said.
His fellow panelist, Deepak Rout, CSO of The Co-operators Group, an auto and home insurance company, advised audience members to understand the risks when outsourcing data to the United States.
"Assume it's exposed to those [government] agencies," he said.
The panelists also encouraged attendees to be wary of sharing data in the cloud, because if a partner or provider experiences a breach, the organization that owns the data is still on the hook.
"Accountability doesn't move away from you," Lin said.
Privacy advocates in Canada celebrated a win in March when Bill C-30, which would have permitted law enforcement to compel internet service providers (ISPs) to identify clients without a warrant, was shelved.