In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act*'*, proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.

The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.

The Bill provides no guidance for organizations on when it is or is not legitimate to assist a government agents. It provides vague standards for what investigative activities should qualify and vaguer definitions of what 'authority' a state agent must present before an organization may disclose information. It then immunizes organizations from responspibility over even the most careless of disclosures made in situations where no reasonable person would believe the validity of the lawful authority identified. Finally, it puts in place a gag order of general application which forces organizations to ask permission before informing that the disclosures have been made.

The Bill also introduces new exceptions that will permit organizations to give away customer information to any private entity who is contemplating a lawsuit. There is no obligation to verify whether the lawsuit in question has any realistic chance of success, whether it is being made in good faith, or even if the requesting party ever intends to file the suit. Online information repositories are already being used against Canadians in lawsuits at unprecedented rates. But currently, such information is typically collected through discovery processes where safeguards are in place.

In an era where personal information is a commodity and businesses are able to track their customers' every move or conversation, removing barriers to disclosures of such information repositories is a serious threat to civil liberties. What is needed is more protections, not more exceptions.

Where the Bill attempts to provide those protections, through breach notification requirements and a strengthening of consent obligations, it fails. Breach notification is an essential and long overdue requirement. Customers must be notified when their personal information has been leaked or lost so they can take remedial measures. Bill C-29 requires organizations to inform the Privacy Commissioner of any 'material' breach. But 'material' is defined in a highly subjective manner and, without any penalty for failing to disclose, there is no incentive for organizations to err on the side of caution.