The Privacy Commissioner recently released (May 2013) a publication entitled The Case for Reforming the Personal Information Protection and Electronics Documents Act (PIPEDA). This document proposes expanding the powers of the Privacy Commissioner in a way that should cause significant concern for fraud victims and those investigating fraud in the private sector.
Some background to this discussion is helpful. Back in 2001 PIPEDA came into force with respect to federally regulated businesses. By 2004 it was phased in to affect all provincially registered business if a province did not have its own substantially similar legislation. The government primarily intended PIPEDA to protect Canadians from businesses that collected, used and disclosed their personal information for commercial purposes without their consent. The idea behind this legislation (which was being enacted in many advanced countries around the world), was that individuals should be able to control to whom their personal information is disclosed – especially if was being sold for commercial purposes by electronic means. These were and remain laudable goals, as most Canadians do not want their personal information sold without their consent, and most Canadians do not want to receive unsolicited electronic communications from organizations that have purchased their personal information. For the most part, thankfully, the Privacy Commissioner has stuck to this mandate.
That said, Canadians should be concerned as to whether the Privacy Commissioner has taken an overzealous approach to privacy issues by attempting to regulate those conducting fraud investigations in the private sector and by regulating the reporting of information to the police by private organizations. The authority of the Privacy Commissioner to regulate investigators in this way lies in section 7 of PIPEDA, which permits an organization to collect, use and disclose personal information without an individual’s consent if it is done so for the purposes of investigating some sort of legal wrong (such as fraud). The reasons for the non-consent provisions are obvious – being required to notify a fraudster that you are disclosing his or her personal information is counterproductive to investigating those involved, obtaining a recovery or stopping the loss.
Back in 2003 a lot of time and money was wasted by numerous organizations dealing with Industry Canada and the Privacy Commissioner’s office so that they could be listed as an “investigative body” in the regulations to PIPEDA (one of the stipulations for the disclosing of personal information of fraudsters and witnesses contained in section 7 of PIPEDA). Then, as time went on, the Privacy Commissioner accepted complaints from persons who were subject to an investigation who alleged it was unfair that their information was disclosed without their consent (they somehow came to know of this after the fact). For example, one of the more troublesome decisions of the Privacy Commissioner was that the images on convert video surveillance be pixilated so that the identity of the persons recorded by surveillance remained unknown. In addition to increasing the costs of investigations tremendously, this “guideline” of the Privacy Commissioner hampered an investigator’s ability to identify witnesses and it raised the issue of tampering with evidence when such images were subsequently used in legal proceedings.
It is fair to say that the legislators involved in drafting PIPEDA did not anticipate that the Privacy Commissioners (Mr. Radwanski and Ms. Stoddart) would interfere with private sector investigations to the extent they did. Thankfully the Courts have reined in the Privacy Commissioners’ ability to interfere in private investigations. For example, an Ontario judge in the case Ferenczy v. MCI Medical held that the disclosure of personal information by a private investigator to his or her client was not a commercial activity for the purposes of PIPEDA, and accordingly evidence could not be excluded because of an alleged breach of federal legislation. The Privacy Commissioner was greatly dismayed with this ruling and refused to acknowledge the Court’s ruling as law. Later a Federal Court judge in the case State Farm v. Privacy Commissioner of Canada supported the Ontario court decision, and further held that the Privacy Commissioner did not have the mandate to investigate complaints involving the collection of evidence for investigative purposes. The Federal Court went even further to state that the Privacy Commissioner is merely an ombudsman without order-making power.
It is against this backdrop that the Privacy Commissioner has released The Case for Reforming PIPEDA in May 2013. The Privacy Commissioner is now asking the federal government to give her the powers the Federal Court explicitly held she does not have. In her paper, the Privacy Commissioner is seeking amendments to PIPEDA to give her order-making powers, the power to order monetary penalties, the power to award damages to complainants, the power to require organizations to disclose to her how often they disclose personal information to law enforcement, as well as various powers to enforce compliance with her guidelines. While such powers may be appropriate in some business contexts (for example organizations in the business of selling consumer lists), it is not appropriate for fraud victims and those involved in fraud investigations in the private sector.
Fraud victims come in all shapes and sizes. Some fraud victims are large institutions such as insurance companies and banks subjected to insurance schemes or commercial frauds. Others are large corporations subjected to internal thefts or external attacks on their intellectual and physical property. Others are small organizations and individuals subjected to a wide variety of misadventures. Over the past 10 years, virtually nothing has been done by the Privacy Commissioner to enhance private and public sector law enforcement (other than voicing some concern about identity theft). Rather, the Privacy Commissioner has brought in policies that have frustrated investigations and significantly increased the costs of other investigations that still proceed. Fraud victims and those investigating in the private sector have an interest in the “investigative body” designation being removed from PIPEDA, the section 7 “non-consent” provisions being liberalized for investigative purposes, and the Privacy Commissioner’s authority remaining that of an ombudsman. Responding to The Privacy Commissioner’s publication The Case for Reforming PIPEDA to ensure the government is aware of the concerns of fraud victims is once again necessary.
At Investigation Counsel PC, we are experienced at obtaining information for fraud victims and responding to privacy law concerns. For further information, contact us
Disclaimer